From vedaal at hush.com Thu Feb 1 17:30:50 2007
From: vedaal at hush.com (vedaal at hush.com)
Date: Thu, 01 Feb 2007 11:30:50 -0500
Subject: explain nrsign & lsign?
Message-ID: <20070201163148.3B39422840@mailserver9.hushmail.com>
David Shaw dshaw at jabberwocky.com
Wed Jan 31 22:19:33 CET 2007 wrote:
> Indeed. It is also possible that the keyservers aren't being
targeted
>specifically as keyservers, but rather that people have links to
>keyserver searches out there, and the spammers are just using a
>crawler that happens to follow that link.
fwiw,
i have two e-mail addresses in my 'real name'
(one at hushmail, and one at a private address)
and have a key on the pgp global keyserver with the primary address
as the private address, and the hushmail address as a secondary id,
and have sent it to gpg keyservers as well
have not received _any_ spam in the more than 2 years
that the key has been uploaded,
maybe because those e-mail addresses are not part of any mailing
lists,
are not on any webpages or usenet posts,
and are used only for formal work-related correspondence,
in contrast,
have tons of spam at the vedaal address ;-(
vedaal
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
From randy at randyburns.us Thu Feb 1 18:43:52 2007
From: randy at randyburns.us (Randy Burns)
Date: Thu, 1 Feb 2007 09:43:52 -0800 (PST)
Subject: explain nrsign & lsign?
In-Reply-To: <20070131211933.GD27765@jabberwocky.com>
Message-ID: <17568.57261.qm@web50906.mail.yahoo.com>
--- David Shaw wrote:
> On Mon, Jan 29, 2007 at 05:20:20PM +0100, Werner Koch wrote:
> > On Mon, 29 Jan 2007 16:22, dshaw at jabberwocky.com said:
> >
> > > etc. Nowadays, many spammers aren't using their own bandwidth or
> CPU.
> > > So why *not* hit the keyservers? It costs them essentially nothing.
> >
> > OTOH, addresses taken from the addressbook as available on the host
> > (== zombie Windows PC) are much more effective than harvesting the web
> > or kyeservers. These local addresses are more certain to actually be
> > used and even better: the recipient of the spam knows the sender.
>
> Indeed. It is also possible that the keyservers aren't being targeted
> specifically as keyservers, but rather that people have links to
> keyserver searches out there, and the spammers are just using a
> crawler that happens to follow that link. Some keyservers don't
> obfuscate their search results.
>
> David
>
Something to think about when organizing a keysigning too. Avoid putting a
participant list on a webpage. Just a keyring maybe.
Randy
From wk at gnupg.org Thu Feb 1 20:14:20 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Feb 2007 20:14:20 +0100
Subject: New command line language parameter
In-Reply-To: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> (Juan
=?utf-8?Q?Marug=C3=A1n's?=
message of "Tue\, 30 Jan 2007 10\:52\:26 +0100")
References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es>
Message-ID: <87ps8tu1v7.fsf@wheatstone.g10code.de>
On Tue, 30 Jan 2007 10:52, jmarugan at alumnos.upm.es said:
> ---Begining of .bat file ----------------------------------
> @echo off
> cls
> echo Verifying...
> %1\gpg.exe --homedir %2 --langfile %1\gnupg.nls\es.mo --verify %3
> ---End of .bat file ---------------------------------------
You may already use
---Begining of .bat file ----------------------------------
@echo off
cls
echo Verifying...
set LANG=%1
gpg.exe --homedir %2 --verify %3
---End of .bat file ---------------------------------------
If you just care about the language. For Spanish es_ES should be the
right argument. I have not looked at the other isues but setting
--homedir should be enough to go without the defaults from the
registry.
Shalom-Salam,
Werner
From schneecrash+gnupg-users at gmail.com Thu Feb 1 20:23:58 2007
From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users)
Date: Thu, 1 Feb 2007 11:23:58 -0800
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
Message-ID: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com>
if i've added a designated revoker to a key, WITH the 'sensitive' flag.
am i correct that:
(1) the 'sensitive' flag prevents the *export* of the add'l/designated
revoker's key
(2) the keyservers still learn/know that there IS a designated
revoker, AND its KeyID/UID
?
thanks.
From dshaw at jabberwocky.com Thu Feb 1 21:04:27 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 1 Feb 2007 15:04:27 -0500
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
In-Reply-To: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com>
References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com>
Message-ID: <20070201200427.GC23780@jabberwocky.com>
On Thu, Feb 01, 2007 at 11:23:58AM -0800, snowcrash+gnupg-users wrote:
> if i've added a designated revoker to a key, WITH the 'sensitive' flag.
>
> am i correct that:
>
> (1) the 'sensitive' flag prevents the *export* of the add'l/designated
> revoker's key
> (2) the keyservers still learn/know that there IS a designated
> revoker, AND its KeyID/UID
Not exactly. When exporting a key that has a sensitive designated
revoker set, the key is exported, but the designated revoker
information is not included. Anyone looking at the key from the
outside cannot tell the difference between this state, and no
designated revoker set at all. However, if the designated revoker has
in fact revoked the key, then the designated revoker information IS
included, along with the revocation.
The idea behind this is that the relationship between the designated
revoker and the key owner is sensitive, and so we must not reveal the
identity designated revoker until we absolutely must (i.e. when they
actually revoke the key).
Note that there is an option "export-sensitive-revkeys" which tells
GPG to export the designated revoker information even if the key isn't
revoked. This essentially pretends that the "sensitive" flag is not
set. Under normal circumstances, you don't want to do this.
David
From schneecrash+gnupg-users at gmail.com Thu Feb 1 21:12:14 2007
From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users)
Date: Thu, 1 Feb 2007 12:12:14 -0800
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
In-Reply-To: <20070201200427.GC23780@jabberwocky.com>
References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com>
<20070201200427.GC23780@jabberwocky.com>
Message-ID: <70f41ba20702011212r5d05e880uab9c48edea46ec44@mail.gmail.com>
> When exporting a key that has a sensitive designated
> revoker set, the key is exported, but the designated revoker
> information is not included. Anyone looking at the key from the
> outside cannot tell the difference between this state, and no
> designated revoker set at all. However, if the designated revoker has
> in fact revoked the key, then the designated revoker information IS
> included, along with the revocation.
>
> The idea behind this is that the relationship between the designated
> revoker and the key owner is sensitive, and so we must not reveal the
> identity designated revoker until we absolutely must (i.e. when they
> actually revoke the key).
that, actually, is what i was hoping to hear/learn. :-)
thanks for the clarification!
From vedaal at hush.com Thu Feb 1 21:21:02 2007
From: vedaal at hush.com (vedaal at hush.com)
Date: Thu, 01 Feb 2007 15:21:02 -0500
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
Message-ID: <20070201202103.453D2DA834@mailserver7.hushmail.com>
David Shaw dshaw at jabberwocky.com wrote on
Thu Feb 1 21:04:27 CET 2007
>The idea behind this is that the relationship
>between the designated revoker and the key owner is sensitive,
> and so we must not reveal the identity designated revoker
>until we absolutely must
>(i.e. when they actually revoke the key).
why must the identity be revealed at all,
if the key-owner who designated the revoker doesn't want it to be?
it doesn't add to the security to know who revoked it,
(whoever it as, it was someone the 'key-owner' decided it should be)
it only compromises the revoker and/or key owner, as the revoker
may become a target to revoke the original key-owner's replacement
key
(n.b.
not a big deal,
just curious as to why it was done this way
there is a very simple workaround for anyone uncomfortable with it:
the designated revoker doesn't have to be a 'person',
it just has to be another 'key'
which can have a fictitious name,
and given to the person who is trusted to do the revoking when
necessary)
vedaal
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
From dshaw at jabberwocky.com Thu Feb 1 21:37:25 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 1 Feb 2007 15:37:25 -0500
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com>
References: <20070201202103.453D2DA834@mailserver7.hushmail.com>
Message-ID: <20070201203725.GD23780@jabberwocky.com>
On Thu, Feb 01, 2007 at 03:21:02PM -0500, vedaal at hush.com wrote:
> David Shaw dshaw at jabberwocky.com wrote on
> Thu Feb 1 21:04:27 CET 2007
>
> >The idea behind this is that the relationship
> >between the designated revoker and the key owner is sensitive,
> > and so we must not reveal the identity designated revoker
> >until we absolutely must
> >(i.e. when they actually revoke the key).
>
>
> why must the identity be revealed at all,
> if the key-owner who designated the revoker doesn't want it to be?
Any anonymous revoker could not do their job as we wouldn't know
whether to ignore the revocation or not. For example, say you
designated me as your revoker. If my identity is kept secret, even
after I issued a revocation, how could someone coming across that
revocation know that they should accept it?
David
From dshaw at jabberwocky.com Thu Feb 1 22:39:34 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 1 Feb 2007 16:39:34 -0500
Subject: explain nrsign & lsign?
In-Reply-To: <17568.57261.qm@web50906.mail.yahoo.com>
References: <20070131211933.GD27765@jabberwocky.com>
<17568.57261.qm@web50906.mail.yahoo.com>
Message-ID: <20070201213934.GE23780@jabberwocky.com>
On Thu, Feb 01, 2007 at 09:43:52AM -0800, Randy Burns wrote:
> > > OTOH, addresses taken from the addressbook as available on the host
> > > (== zombie Windows PC) are much more effective than harvesting the web
> > > or kyeservers. These local addresses are more certain to actually be
> > > used and even better: the recipient of the spam knows the sender.
> >
> > Indeed. It is also possible that the keyservers aren't being targeted
> > specifically as keyservers, but rather that people have links to
> > keyserver searches out there, and the spammers are just using a
> > crawler that happens to follow that link. Some keyservers don't
> > obfuscate their search results.
>
> Something to think about when organizing a keysigning too. Avoid putting a
> participant list on a webpage. Just a keyring maybe.
Good point. I like the service that biglumber provides for
keysignings. It nicely automates a lot of the bookkeeping, tracks the
participant list, etc. It also makes the information spam-unfriendly.
David
From atom at smasher.org Thu Feb 1 23:14:22 2007
From: atom at smasher.org (Atom Smasher)
Date: Thu, 1 Feb 2007 17:14:22 -0500 (EST)
Subject: 'sensitive' designated revoker -- are the keyservers still aware?
In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com>
References: <20070201202103.453D2DA834@mailserver7.hushmail.com>
Message-ID: <20070201221423.96884.qmail@smasher.org>
On Thu, 1 Feb 2007, vedaal at hush.com wrote:
> why must the identity be revealed at all, if the key-owner who
> designated the revoker doesn't want it to be?
>
> it doesn't add to the security to know who revoked it, (whoever it as,
> it was someone the 'key-owner' decided it should be) it only compromises
> the revoker and/or key owner, as the revoker may become a target to
> revoke the original key-owner's replacement key
============================
if that's a concern... bob wants to designate alice as a revoker, but bob
[or alice] doesn't want to reveal that alice is the desiganted revoker,
even if his key is revoked. the solution is for bob to generate a
revocation certificate, encrypt it to alice, and send it to alice with
instructions about if/when to publish it. this basically serves the same
purpose, but doesn't necessarily reveal that alice was the designated
revoker.
a variation could break the revocation certificate into shares, requiring
any number of "secret revokers" to assemble the revocation certificate.
--
...atom
________________________
http://atom.smasher.org/
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"They tell us that we live in a great free republic;
that our institutions are democratic; that we are
a free and self-governing people. That is too much,
even for a joke. Wars throughout history have been
waged for conquest and plunder. And that is war in
a nutshell. The master class has always declared
the wars; the subject class has always fought the
battles."
-- Eugene V. Debs, 1918
From wk at gnupg.org Fri Feb 2 10:14:16 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 02 Feb 2007 10:14:16 +0100
Subject: [Announce] Libgcrypt 1.2.4 released
Message-ID: <87wt30syzb.fsf@wheatstone.g10code.de>
Hello!
We are pleased to announce the availability of Libgcrypt 1.2.4.
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on the code used in GnuPG.
This is a bug fix release solving a few minor issues. There are no
new features. If you experience problems with an application using
libgcrypt, you might want to update to this version.
Noteworthy changes are:
* Fixed a bug in the memory allocator which could have been the
reason for some non-duplicable bugs.
* Other minor bug fixes.
Source code is hosted at the GnuPG FTP server and its mirrors as
listed at http://www.gnupg.org/download/mirrors.html . On the primary
server the source files and there digital signatures are:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2 (781k)
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2.sig
These files are bzip2 compressed. If you can't use the bunzip2 tool,
gzip compressed versions of the files are also available:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz (990k)
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz.sig
As an alternative a patch against version 1.2.3 is available as:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.3-1.2.4.diff.bz2 (87k)
SHA-1 checksums are:
c72406c69d6ad9fb3fa1e9824b04566cf204093b libgcrypt-1.2.4.tar.bz2
d279e7a4464cccf0cc4e29c374a1e8325fc65b9a libgcrypt-1.2.4.tar.gz
d4f5525fa26e92ade2914c6581435171f8b4fc44 libgcrypt-1.2.3-1.2.4.diff.bz2
For help on installing or developing with Libgcrypt you should send
mail to the grcypt-devel mailing list. For details see
http://www.gnupg.org/documentation/mailing-lists.html .
Improving Libgcrypt is costly, but you can help! We are looking for
organizations that find Libgcrypt useful and wish to contribute back.
You can contribute by reporting bugs, improve the software [1], or by
donating money.
Commercial support contracts for Libgcrypt are available [2], and they
help finance continued maintenance. g10 Code GmbH, a Duesseldorf
based company owned and headed by gpg's principal author, is currently
funding Libgcrypt development. We are always looking for interesting
development projects.
Happy hacking,
Werner
[1] As a GNU project copyright assignments to the FSF are required.
[2] See the service directory at http://www.gnupg.org/service.html .
--
Werner Koch
The GnuPG Experts http://g10code.com
Join the Fellowship and protect your Freedom! http://www.fsfe.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : /pipermail/attachments/20070202/6194bdae/attachment.pgp
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From wk at gnupg.org Fri Feb 2 10:36:55 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 02 Feb 2007 10:36:55 +0100
Subject: [Announce] GnuPG 2.0.2 released
Message-ID: <87sldosxxk.fsf@wheatstone.g10code.de>
Hello!
We are pleased to announce the availability of a new stable GnuPG-2
release: Version 2.0.2
This is maintenance release to fix build problems found after the
release of 2.0.1. There are also some minor enhancements.
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It can be used to encrypt data, create digital
signatures, help authenticating using Secure Shell and to provide a
framework for public key cryptography. It includes an advanced key
management facility and is compliant with the OpenPGP and S/MIME
standards.
GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.6) in that
it splits up functionality into several modules. However, both
versions may be installed alongside without any conflict. In fact,
the gpg version from GnuPG-1 is able to make use of the gpg-agent as
included in GnuPG-2 and allows for seamless passphrase caching. The
advantage of GnuPG-1 is its smaller size and the lack of dependency on
other modules at run and build time. We will keep maintaining GnuPG-1
versions because they are very useful for small systems and for server
based applications requiring only OpenPGP support.
GnuPG is distributed under the terms of the GNU General Public License
(GPL). GnuPG-2 works best on GNU/Linux or *BSD systems.
Getting the Software
====================
Please follow the instructions found at http://www.gnupg.org/download/
or read on:
GnuPG 2.0.2 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be
found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not
available at ftp.gnu.org.
On the mirrors you should find the following files in the *gnupg*
directory:
gnupg-2.0.2.tar.bz2 (3.8M)
gnupg-2.0.2.tar.bz2.sig
GnuPG source compressed using BZIP2 and OpenPGP signature.
gnupg-2.0.1-2.0.2.diff.bz2 (53k)
A patch file to upgrade a 2.0.1 GnuPG source.
Note, that we don't distribute gzip compressed tarballs.
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the
signature of the file gnupg-2.0.2.tar.bz2 you would use this command:
gpg --verify gnupg-2.0.2.tar.bz2.sig
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by that signing key. Make sure that you have the right key,
either by checking the fingerprint of that key with other sources
or by checking that the key has been signed by a trustworthy other
key. Note, that you can retrieve the signing key using the command
finger wk ,at' g10code.com
or using a keyserver like
gpg --recv-key 1CE0C630
The distribution key 1CE0C630 is signed by the well known key
5B0358A2. If you get an key expired message, you should retrieve a
fresh copy as the expiration date might have been prolonged.
NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!
* If you are not able to use an old version of GnuPG, you have to verify
the SHA-1 checksum. Assuming you downloaded the file
gnupg-2.0.2.tar.bz2, you would run the sha1sum command like this:
sha1sum gnupg-2.0.2.tar.bz2
and check that the output matches the first line from the
following list:
1a3165c5b601f3244b8885143d02bea4210495e3 gnupg-2.0.2.tar.bz2
1d42f46ae2c0d00b56be34bcd95fff51b77163a6 gnupg-2.0.1-2.0.2.diff.bz2
What's New
===========
* Fixed a serious and exploitable bug in processing encrypted
packages. [CVE-2006-6235]. Note, that a patch was distributed
along with the first report of that bug.
* Added --passphrase-repeat to set the number of times GPG will
prompt for a new passphrase to be repeated. This is useful to help
memorize a new passphrase. The default is 1 repetition.
* Using a PIN pad does now also work for the signing key.
* A warning is displayed by gpg-agent if a new passphrase is too
short. New option --min-passphrase-len defaults to 8.
* The status code BEGIN_SIGNING now shows the used hash algorithms.
Internationalization
====================
GnuPG comes with support for 27 languages. Due to a lot of new and
changed strings most translations are not entirely complete. The
Swedish, Turkish, German and Russian translations should be complete.
Documentation
=============
We are currently working on an installation guide to explain in more
detail how to configure the new features. As of now the chapters on
gpg-agent and gpgsm include brief information on how to set up the
whole thing. Please watch the GnuPG website for updates of the
documentation. In the meantime you may search the GnuPG mailing list
archives or ask on the gnupg-users mailing lists for advise on how to
solve problems. Many of the new features are around for several years
and thus enough public knowledge is already available. KDE's KMail is
the most prominent user of GnuPG. In fact it has been developed along
with the Kmail folks. Mutt users might want to use the configure
option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make
use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP
support.
Support
=======
Improving GnuPG is costly, but you can help! We are looking for
organizations that find GnuPG useful and wish to contribute back. You
can contribute by reporting bugs, improve the software, or by donating
money.
Commercial support contracts for GnuPG are available, and they help
finance continued maintenance. g10 Code GmbH, a Duesseldorf based
company owned and headed by GnuPG's principal author, is currently
funding GnuPG development. We are always looking for interesting
development projects.
A service directory is available at:
http://www.gnupg.org/service.html
Thanks
======
We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing
lists.
Happy Hacking,
The GnuPG Team (David, Marcus, Werner and all other contributors)
--
Werner Koch
The GnuPG Experts http://g10code.com
Join the Fellowship and protect your Freedom! http://www.fsfe.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : /pipermail/attachments/20070202/8925fbd8/attachment-0001.pgp
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From r.post at sara.nl Fri Feb 2 11:15:00 2007
From: r.post at sara.nl (Remco Post)
Date: Fri, 02 Feb 2007 11:15:00 +0100
Subject: smartcard and ssh
Message-ID: <45C30F24.2030708@sara.nl>
Hi All,
just recently I've installed ubuntu 6.10 on my desktop. This comes with
gpg-agent 1.9.21.
I've set the agent with ssh support, and it quite nicely manages my ssh
dsa key, but for some reason ssh-add -l does not show my smartcard rsa
key while gpg --card-status does work (as does signing e-mail with my
smartcard).
Anybody any hint on what might be wrong?
--
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
From wk at gnupg.org Fri Feb 2 13:23:40 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 02 Feb 2007 13:23:40 +0100
Subject: smartcard and ssh
In-Reply-To: <45C30F24.2030708@sara.nl> (Remco Post's message of "Fri\, 02 Feb
2007 11\:15\:00 +0100")
References: <45C30F24.2030708@sara.nl>
Message-ID: <87k5z0px2r.fsf@wheatstone.g10code.de>
On Fri, 2 Feb 2007 11:15, r.post at sara.nl said:
> I've set the agent with ssh support, and it quite nicely manages my ssh
> dsa key, but for some reason ssh-add -l does not show my smartcard rsa
> key while gpg --card-status does work (as does signing e-mail with my
> smartcard).
Do you have scdaemon installed? If so, you should put
verbose
debug 1024
debug 2048
log-file /home/foo/scdaemon.log
into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make
sure that it really got killed. Then do an "ssh-add -l" again and
watch the log file.
Note, that gpg-agent starts scdaemon and restarts it if has crashed.
Shalom-Salam,
Werner
From shavital at mac.com Fri Feb 2 13:33:29 2007
From: shavital at mac.com (Charly Avital)
Date: Fri, 02 Feb 2007 07:33:29 -0500
Subject: [Announce] GnuPG 2.0.2 released
In-Reply-To: <87sldosxxk.fsf@wheatstone.g10code.de>
References: <87sldosxxk.fsf@wheatstone.g10code.de>
Message-ID: <45C32F99.5090408@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Werner Koch wrote the following on 2/2/07 4:36 AM:
| Hello!
|
| We are pleased to announce the availability of a new stable GnuPG-2
| release: Version 2.0.2
[...]
| Thanks
| ======
|
| We have to thank all the people who helped with this release, be it
| testing, coding, translating, suggesting, auditing, administering the
| servers, spreading the word or answering questions on the mailing
| lists.
|
|
| Happy Hacking,
|
| The GnuPG Team (David, Marcus, Werner and all other contributors)
GnuPG v2.0.2 has been configured as follows:
~ Platform: Darwin (powerpc-apple-darwin8.8.0)
~ OpenPGP: yes
~ S/MIME: yes
~ Agent: yes
~ Smartcard: yes
~ Protect tool: (default)
~ Default agent: (default)
~ Default pinentry: (default)
~ Default scdaemon: (default)
~ Default dirmngr: (default)
~ PKITS based tests: no
All seems to be working fine.
Shall try later (much later) for Mac Inter Core Duo.
Thank you David, Marcus, Werner, all other contributors and Ben Donnachie.
Charly
KeyOnCard at:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRcMvayRJoUyU/RYhAQJqBwP5AYLO5bufqRhkCALlRAu3LMQ8bYrYUpRl
pxM7SPzEeONGPpgzP1nxXmteANifPiivqYAogF0tjPa8loDM8MsNDiacj/KoEYIn
Jflh4/JerRpUc3tJU6lev+hiLaYzQYKVI/yCo0PzUf5faosKO17AraHsIj+yejLo
+ZSYOOsmHtU=
=z0Ll
-----END PGP SIGNATURE-----
From r.post at sara.nl Fri Feb 2 14:00:23 2007
From: r.post at sara.nl (Remco Post)
Date: Fri, 02 Feb 2007 14:00:23 +0100
Subject: smartcard and ssh
In-Reply-To: <87k5z0px2r.fsf@wheatstone.g10code.de>
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de>
Message-ID: <45C335E7.8060102@sara.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Werner Koch wrote:
> On Fri, 2 Feb 2007 11:15, r.post at sara.nl said:
>
>> I've set the agent with ssh support, and it quite nicely manages my ssh
>> dsa key, but for some reason ssh-add -l does not show my smartcard rsa
>> key while gpg --card-status does work (as does signing e-mail with my
>> smartcard).
>
> Do you have scdaemon installed? If so, you should put
>
mope, I didn't. I tried installing it (as part of the gpgsm package) but
the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :(
> verbose
> debug 1024
> debug 2048
> log-file /home/foo/scdaemon.log
>
> into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make
> sure that it really got killed. Then do an "ssh-add -l" again and
> watch the log file.
>
The log-file:
2007-02-02 13:41:20 scdaemon[5733] can't run PC/SC access module
`/usr/lib/gnupg/pcsc-wrapper': No such file or directory
scdaemon[5733.0x8096340] DBG: -> ERR 100663404 Card error
scdaemon[5733.0x8096340] DBG: OK
> Note, that gpg-agent starts scdaemon and restarts it if has crashed.
>
>
>
> Shalom-Salam,
>
> Werner
>
- --
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRcM14irZkcVehrp5AQK+4wP/du5tH3w55xUIvpBirr4HbbAw3XWPUTgx
Ni5zwYqM1NEr5G9E+Dx81VaNXSiqcabtaZC9sG9iuqUCqGMA8t2N3jv9m4TZ/avi
fCWdTuB4RH1QEfgYKZdKzNDpmmInlAuai8/2CVone5mdz1t9G5vpc2uMb28NRwTS
PgBg5Oysf9I=
=aYNG
-----END PGP SIGNATURE-----
From sravan at atc.tcs.com Fri Feb 2 13:33:11 2007
From: sravan at atc.tcs.com (Sravan)
Date: Fri, 02 Feb 2007 18:03:11 +0530
Subject: doubt in clear text signing
Message-ID: <45C32F87.8020403@atc.tcs.com>
Dear All,
I have a question related to clear signing. As per the standard(rfc
2440), a signature of type 'Canonical text document' should be generated
after removing any trailing spaces and making the line endings as '\r
\n'. Is this the case with clear text signatures generated by gpg?
Also, when i generate a signature(actually, i am signing and encrypting)
for some data that doesn't contain a newline at the end, gpg inserts one
at the end.
Will this last new line considered a part of the signed data?
Regards,
Sravan
From wk at gnupg.org Fri Feb 2 14:51:02 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 02 Feb 2007 14:51:02 +0100
Subject: doubt in clear text signing
In-Reply-To: <45C32F87.8020403@atc.tcs.com> (sravan@atc.tcs.com's message of
"Fri\, 02 Feb 2007 18\:03\:11 +0530")
References: <45C32F87.8020403@atc.tcs.com>
Message-ID: <8764akoegp.fsf@wheatstone.g10code.de>
On Fri, 2 Feb 2007 13:33, sravan at atc.tcs.com said:
> I have a question related to clear signing. As per the standard(rfc
> 2440), a signature of type 'Canonical text document' should be generated
> after removing any trailing spaces and making the line endings as '\r
> \n'. Is this the case with clear text signatures generated by gpg?
Yes, we don't include trailing ASCII spaces, tabs, CR and the LF when
calculating the hast of a clear signed message. The constant string
of a CR and a LF is then hashed. Note, that this is different from
regular signatures created in textmode - the story behind them is more
complicate.
> Also, when i generate a signature(actually, i am signing and encrypting)
> for some data that doesn't contain a newline at the end, gpg inserts one
> at the end.
> Will this last new line considered a part of the signed data?
No the last line feed is not part of the signature. See the code in
g10/textfilter.c. To avoid interpretation problems gpg always ends
alinefeed to a message which does not end in one. A clear signed
message is intended for human consumption and should not be used if
you need to be sure that the verbatim text gets signed.
Salam-Shalom,
Werner
From wk at gnupg.org Fri Feb 2 21:44:38 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 02 Feb 2007 21:44:38 +0100
Subject: smartcard and ssh
In-Reply-To: <45C335E7.8060102@sara.nl> (Remco Post's message of "Fri\, 02 Feb
2007 14\:00\:23 +0100")
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de>
<45C335E7.8060102@sara.nl>
Message-ID: <87veikjnm1.fsf@wheatstone.g10code.de>
On Fri, 2 Feb 2007 14:00, r.post at sara.nl said:
> mope, I didn't. I tried installing it (as part of the gpgsm package) but
> the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :(
If you have an USB reader, try using the internal ccid-driver. You
need to stop the pcscd first. You may test it with the plain gpg - it
will also use the ccid-driver (--debug-ccid-driver helps to detect
problems). Make sure that the usbfs is loaded and that the
permissions are correct . The smart card howto at www.gnupg.org
should be helpful.
Shalom-Salam,
Werner
From alon.barlev at gmail.com Fri Feb 2 22:54:52 2007
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Fri, 2 Feb 2007 23:54:52 +0200
Subject: smartcard and ssh
In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de>
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de>
<45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de>
Message-ID: <9e0cf0bf0702021354j3afb4ba3x1b41a35ad9824833@mail.gmail.com>
On 2/2/07, Werner Koch wrote:
> On Fri, 2 Feb 2007 14:00, r.post at sara.nl said:
>
> > mope, I didn't. I tried installing it (as part of the gpgsm package) but
> > the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :(
>
> If you have an USB reader, try using the internal ccid-driver. You
> need to stop the pcscd first. You may test it with the plain gpg - it
> will also use the ccid-driver (--debug-ccid-driver helps to detect
> problems). Make sure that the usbfs is loaded and that the
> permissions are correct . The smart card howto at www.gnupg.org
> should be helpful.
Or if your smartcard supports PKCS#11 interface you can use the
gnupg-pkcs11-scd from http://gnupg-pkcs11.sourceforge.net and OpenSSH
PKCS#11 from http://alon.barlev.googlepages.com/openssh-pkcs11, this
way you can use your smartcard with many application at the same time
without stopping any interface or making the card locked by one of
them.
Best Regards,
Alon Bar-Lev.
From marcus.brinkmann at ruhr-uni-bochum.de Sat Feb 3 16:42:40 2007
From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann)
Date: Sat, 03 Feb 2007 16:42:40 +0100
Subject: [Announce] GPGME 1.1.3 released
Message-ID: <878xff5jtb.wl%marcus.brinkmann@ruhr-uni-bochum.de>
Hi,
We are pleased to announce version 1.1.3 of GnuPG Made Easy,
a library designed to make access to GnuPG easier for applications.
It may be found in the file (about 897 KB/690 KB compressed)
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2
The following files are also available:
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2-1.1.3.diff.gz
It should soon appear on the mirrors listed at:
http://www.gnupg.org/mirrors.html
Bug reports and requests for assistance should be sent to:
gnupg-devel at gnupg.org
The sha1sum checksums for this distibution are
bf88701162d09a1bfacf72594fc32f374144158c gpgme-1.1.2-1.1.3.diff.gz
e416854cb41a2e8b92a148ed17d2f2b97eeeba4a gpgme-1.1.3.tar.bz2
c41ca6df0b32281135ed95623dd5f8c0789b5671 gpgme-1.1.3.tar.bz2.sig
98ed8563da4870e3dd2d922e96983bf6a3e7cfb1 gpgme-1.1.3.tar.gz
303f46a7dfcf3581d2e6bad984d909e4f9359af1 gpgme-1.1.3.tar.gz.sig
Noteworthy changes in version 1.1.3 (2007-01-29)
------------------------------------------------
* Fixed a memory leak in gpgme_data_release_and_get_mem.
* Fixed a bug in Windows command line quoting.
Marcus Brinkmann
mb at g10code.de
--
g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From j.lysdal at gmail.com Sun Feb 4 21:49:43 2007
From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=)
Date: Sun, 04 Feb 2007 21:49:43 +0100
Subject: openpgp card
Message-ID: <45C646E7.9060403@gmail.com>
On the back of my openpgp card, it says that it has
"Private data storage" What is this storage? and can i use
it to store anything?
--
J?rgen Ch. Lysdal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 368 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070204/a2c73021/attachment-0001.pgp
From wk at gnupg.org Sun Feb 4 22:08:10 2007
From: wk at gnupg.org (Werner Koch)
Date: Sun, 04 Feb 2007 22:08:10 +0100
Subject: openpgp card
In-Reply-To: <45C646E7.9060403@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's
message of "Sun\, 04 Feb 2007 21\:49\:43 +0100")
References: <45C646E7.9060403@gmail.com>
Message-ID: <87sldltyv9.fsf@wheatstone.g10code.de>
On Sun, 4 Feb 2007 21:49, j.lysdal at gmail.com said:
> On the back of my openpgp card, it says that it has
> "Private data storage" What is this storage? and can i use
> it to store anything?
While in the gpg --card-edit menu, optionally enter "admin" and then
"privatedo" to change the 4 private DO fields. See the specs for the
required permissions of the read/write the fields.
Shalom-Salam,
Werner
From j.lysdal at gmail.com Sun Feb 4 23:19:35 2007
From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=)
Date: Sun, 04 Feb 2007 23:19:35 +0100
Subject: openpgp card
In-Reply-To: <87sldltyv9.fsf@wheatstone.g10code.de>
References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de>
Message-ID: <45C65BF7.8050208@gmail.com>
Werner Koch skrev:
> While in the gpg --card-edit menu, optionally enter "admin" and then
> "privatedo" to change the 4 private DO fields. See the specs for the
> required permissions of the read/write the fields.
Thanks for the hint. What i was interested in was if i could upload a
file to the card and then retrieve it later. It appears i cant do that,
anyway, i need at least 1600 bytes storage.
--
J?rgen Ch. Lysdal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 368 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070204/69ab9c41/attachment.pgp
From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 03:08:54 2007
From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin)
Date: Sun, 04 Feb 2007 20:08:54 -0600
Subject: GPG fails to verify clamav
Message-ID: <45C691B6.60202@yahoo.com.au>
I downloaded clamav 0.90rc3 from
http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
I want to verify the integrity of the downloaded file. When I do
gpg --keyserver random.sks.keyserver.penguin.de --verify
clamav-0.90rc3.tar.gz.sig
it fails, saying this:
> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
> gpg: Can't check signature: public key not found
Ren? Berber, in message
, says that my GPG installation is broken.
Can anyone tell me how I can fix it?
Thanks in advance.
P.S.
I also tried using the protocol name in front of the keyserver address
(hkp://). It didn't work.
--
Send instant messages to your online friends http://au.messenger.yahoo.com
From tmz at pobox.com Mon Feb 5 06:19:44 2007
From: tmz at pobox.com (Todd Zullinger)
Date: Mon, 5 Feb 2007 00:19:44 -0500
Subject: GPG fails to verify clamav
In-Reply-To: <45C691B6.60202@yahoo.com.au>
References: <45C691B6.60202@yahoo.com.au>
Message-ID: <20070205051944.GE2362@psilocybe.teonanacatl.org>
Roy Carin wrote:
> I downloaded clamav 0.90rc3 from
> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
>
> I want to verify the integrity of the downloaded file. When I do
>
> gpg --keyserver random.sks.keyserver.penguin.de --verify
> clamav-0.90rc3.tar.gz.sig
>
> it fails, saying this:
>
>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
>> gpg: Can't check signature: public key not found
>
> Ren? Berber, in message
>
> , says that my GPG installation is broken.
>
> Can anyone tell me how I can fix it?
I think that the problem may be that you don't have the key on your
keyring already and you don't have the auto-key-retrieve keyserver
option enabled (it's not enabled by default). You can either enable
that option or import the key before verifying the signature (via a
keyserver webpage or using gpg --recv-key 985A444B).
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
======================================================================
What a terrible thing to have lost one's mind. Or not to have a mind
at all. How true that is.
-- Dan Quayle, speaking to the United Negro College Fund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : /pipermail/attachments/20070205/7ddee2b5/attachment.pgp
From dshaw at jabberwocky.com Mon Feb 5 06:12:26 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 5 Feb 2007 00:12:26 -0500
Subject: GPG fails to verify clamav
In-Reply-To: <45C691B6.60202@yahoo.com.au>
References: <45C691B6.60202@yahoo.com.au>
Message-ID: <20070205051226.GD6299@jabberwocky.com>
On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote:
> I downloaded clamav 0.90rc3 from
> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
>
> I want to verify the integrity of the downloaded file. When I do
>
> gpg --keyserver random.sks.keyserver.penguin.de --verify
> clamav-0.90rc3.tar.gz.sig
>
> it fails, saying this:
>
> > gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
> > gpg: Can't check signature: public key not found
Download the key 985A444B:
gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B
Then do the verify.
David
From r.post at sara.nl Mon Feb 5 10:37:19 2007
From: r.post at sara.nl (Remco Post)
Date: Mon, 05 Feb 2007 10:37:19 +0100
Subject: smartcard and ssh
In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de>
References: <45C30F24.2030708@sara.nl>
<87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl>
<87veikjnm1.fsf@wheatstone.g10code.de>
Message-ID: <45C6FACF.3060400@sara.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Werner Koch wrote:
> On Fri, 2 Feb 2007 14:00, r.post at sara.nl said:
>
>> mope, I didn't. I tried installing it (as part of the gpgsm package) but
>> the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :(
>
> If you have an USB reader, try using the internal ccid-driver. You
> need to stop the pcscd first. You may test it with the plain gpg - it
> will also use the ccid-driver (--debug-ccid-driver helps to detect
> problems). Make sure that the usbfs is loaded and that the
> permissions are correct . The smart card howto at www.gnupg.org
> should be helpful.
>
hmmm, more problems. I've decided that the ubuntu packages are broken.
I'll try again in a new release or when I gain some more patience ;-)
Normal gpg operations work, it's just the ssh-compatebility and only for
the smartcard, well, I gues I can do another few months without, just
like the past few years when I suffered a windows desktop ;-)
>
> Shalom-Salam,
>
> Werner
>
- --
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRcb6yirZkcVehrp5AQKrsgQAmmPinNNA0LUJZbEnI7ioOGZfwD6/7OsP
o31ffvu7bsyuXDFbrtA/UD6gZt4xCPe3N3W/4ygQgwbkFGWgedrV9muIqtmbvexL
kGzt0p0RiIxXJHZ1El1XBfiV6z0gqNEVBvAZd5AYlK+dyLE6S6IC8tfVVlcwSdLS
WjqtcD+d2zE=
=j0XP
-----END PGP SIGNATURE-----
From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:52:16 2007
From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin)
Date: Mon, 05 Feb 2007 11:52:16 -0600
Subject: GPG fails to verify clamav
In-Reply-To: <20070205051226.GD6299@jabberwocky.com>
References: <45C691B6.60202@yahoo.com.au>
<20070205051226.GD6299@jabberwocky.com>
Message-ID: <45C76ED0.5070801@yahoo.com.au>
On 02/04/2007 11:12 PM, David Shaw wrote:
> On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote:
>> I downloaded clamav 0.90rc3 from
>> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
>>
>> I want to verify the integrity of the downloaded file. When I do
>>
>> gpg --keyserver random.sks.keyserver.penguin.de --verify
>> clamav-0.90rc3.tar.gz.sig
>>
>> it fails, saying this:
>>
>>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
>>> gpg: Can't check signature: public key not found
>
> Download the key 985A444B:
>
> gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B
>
> Then do the verify.
>
> David
>
Thanks. The first couple of times it didn't work. Netstat said SYN_SENT
for 62.94.26.10 port 11371 but didn't connect. The third time was the
charm :-)
--
Send instant messages to your online friends http://au.messenger.yahoo.com
From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:53:03 2007
From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin)
Date: Mon, 05 Feb 2007 11:53:03 -0600
Subject: GPG fails to verify clamav
In-Reply-To: <20070205051944.GE2362@psilocybe.teonanacatl.org>
References: <45C691B6.60202@yahoo.com.au>
<20070205051944.GE2362@psilocybe.teonanacatl.org>
Message-ID: <45C76EFF.4060601@yahoo.com.au>
On 02/04/2007 11:19 PM, Todd Zullinger wrote:
> Roy Carin wrote:
>> I downloaded clamav 0.90rc3 from
>> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125
>>
>> I want to verify the integrity of the downloaded file. When I do
>>
>> gpg --keyserver random.sks.keyserver.penguin.de --verify
>> clamav-0.90rc3.tar.gz.sig
>>
>> it fails, saying this:
>>
>>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
>>> gpg: Can't check signature: public key not found
>> Ren? Berber, in message
>>
>> , says that my GPG installation is broken.
>>
>> Can anyone tell me how I can fix it?
>
> I think that the problem may be that you don't have the key on your
> keyring already and you don't have the auto-key-retrieve keyserver
> option enabled (it's not enabled by default). You can either enable
> that option or import the key before verifying the signature (via a
> keyserver webpage or using gpg --recv-key 985A444B).
>
Thanks. Done.
--
Send instant messages to your online friends http://au.messenger.yahoo.com
From benjamin at py-soft.co.uk Tue Feb 6 01:14:28 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Tue, 06 Feb 2007 00:14:28 +0000
Subject: openpgp card
In-Reply-To: <45C65BF7.8050208@gmail.com>
References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de>
<45C65BF7.8050208@gmail.com>
Message-ID: <45C7C864.2020900@py-soft.co.uk>
J?rgen Lysdal wrote:
> Thanks for the hint. What i was interested in was if i could upload a
> file to the card and then retrieve it later.
That's one of the aims of the project for the "open implementation of
the openpgp smart card standard", see
http://www.py-soft.co.uk/wiki/index.php/Openpgp
Ben
From groups at sowa.cc Sat Feb 3 15:14:50 2007
From: groups at sowa.cc (Thomas Sowa)
Date: Sat, 3 Feb 2007 15:14:50 +0100
Subject: gpg.conf missing
Message-ID: <1170512090.45c498da17ea1@webmail.in-berlin.de>
Hi,
i just created my .gnupg file --> gpg --gen-key
All is good, but the gpg.conf is missing. It's already the 2run, the first
created the file but it was empty.
Why, and how do I get this file to modify it?
Thanks,
Tom
From wk at gnupg.org Tue Feb 6 10:24:02 2007
From: wk at gnupg.org (Werner Koch)
Date: Tue, 06 Feb 2007 10:24:02 +0100
Subject: New command line language parameter
In-Reply-To: <200702051357.l15DvWds001544@edison.ccupm.upm.es> (Juan
=?utf-8?Q?Marug=C3=A1n's?=
message of "Mon\, 05 Feb 2007 14\:57\:32 +0100")
References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es>
<87ps8tu1v7.fsf@wheatstone.g10code.de>
<200702012226.l11MQ0RF008768@edison.ccupm.upm.es>
<87abzxt0jb.fsf@wheatstone.g10code.de>
<200702051357.l15DvWds001544@edison.ccupm.upm.es>
Message-ID: <878xfboczx.fsf@wheatstone.g10code.de>
On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said:
> I tried the SET LANG=xx and as far as i read in the GPG documentation
> and mailing list's posts, this is only for POSIX systems, not for
> windows, at least in windows doesn't work in all the ways i tried.
You are right. It works for GPA but not for GPG because with gpg we
use a simplified version of gettext. This is easy to fix.
> I'm afraid the only way to use a language file in windows is the
> registry or a new command line parameter.
No. A command line option won't work because how would you then print
a localized message like "invalid option" or diagnostics printed even
before any option has been parsed.
Shalom-Salam,
Werner
From m-iizuka at cp.jp.nec.com Tue Feb 6 10:14:41 2007
From: m-iizuka at cp.jp.nec.com (Mitsuho Iizuka)
Date: Tue, 06 Feb 2007 18:14:41 +0900 (JST)
Subject: No Public Key Problem
Message-ID: <20070206.181441.74753944.m-iizuka@cp.jp.nec.com>
Getting errors as follows, I can't sign by myself with gpgsm of
gnupg2.0.1 on Fedora Core 5 Linux. Could you give some hint ?
gpgsm: can't sign using `': No public key
[GNUPG:] INV_RECP 1
command line are as follows.
% ./gpgsm --detach-sign --include-certs 3 --status-fd 2 --local-user '' --output smime.p7s mew5430s-F
I tried 2 other user specifying way, such as, m-iizuka at ... and
''. Those results gave almost same error. Only
m-iizuka.cp.jp.nec.com gave me valid sign.
My certification is as follows(~/.gnupg/keyring.kbx).
% gpgsm -kv
:
Serial number: XXXXXXX
Issuer: /CN=NEC Group Certification Authority SMIME/OU=Class 2 CA - OnSite Individual Subscriber/OU=Terms of use at https:\x2f\x2fwww.verisign.co.jp\x2fRPA (c)99/OU=VeriSign Trust Network/O=NEC Corporation
Subject: /CN=Mitsuho Iizuka (061221 m-iizuka.cp.jp.nec.com)/OU=www.verisign.com\x2frepository\x2fCPS Incorp. by Ref.,LIAB.LTD(c)96/OU=NEC Group Certification Authority SMIME/O=NEC Corporation/EMail=m-iizuka at cp.jp.nec.com
:
According to keydb.c at around 1035 line, I don't think there is
a method to specify myself with my e-mail address on the above my
certicication. How can I specify myself with gpgsm2.0.1 ?
Thanks in advance
Regards,
// Mitsuho Iizuka
From info at webinfo.de Tue Feb 6 13:35:00 2007
From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=)
Date: Tue, 06 Feb 2007 13:35:00 +0100
Subject: JADE-S, secure communication with DF?
Message-ID:
Hi folks,
supposed all features of JADE-S are activated - is it possible to encrypt
and sign messages adressed to the DF like DFService.register requests?
Best regards, Bjorn
From JPClizbe at tx.rr.com Tue Feb 6 21:13:30 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Tue, 06 Feb 2007 14:13:30 -0600
Subject: gpg.conf missing
In-Reply-To: <1170512090.45c498da17ea1@webmail.in-berlin.de>
References: <1170512090.45c498da17ea1@webmail.in-berlin.de>
Message-ID: <45C8E16A.1020407@tx.rr.com>
Thomas Sowa wrote:
> Hi,
>
> i just created my .gnupg file --> gpg --gen-key
>
> All is good, but the gpg.conf is missing. It's already the 2run, the first
> created the file but it was empty.
>
> Why, and how do I get this file to modify it?
gpg.conf is just a text file. You may create it with any editor of your choice.
It is for you to use to specify common options to gpg.
For example:
default-recipient-self
default-cert-check-level 3
keyserver pool.sks-keyservers.net
keyserver-options auto-key-retrieve include-revoked include-subkeys
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070206/6cccb4ff/attachment.pgp
From hawke at hawkesnest.net Wed Feb 7 23:47:11 2007
From: hawke at hawkesnest.net (Alex Mauer)
Date: Wed, 07 Feb 2007 16:47:11 -0600
Subject: smartcard and ssh
In-Reply-To: <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl>
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de>
<45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl>
Message-ID:
Remco Post wrote:
>
> hmmm, more problems. I've decided that the ubuntu packages are broken.
> I'll try again in a new release or when I gain some more patience ;-)
Have you looked for and/or reported the bugs you found?
It works for me pretty much "out of the box" with ubuntu/feisty, less so
with earlier releases.
Here are the problems I found and what I had to do to fix them:
* gnupg was trying to use pcsc-wrapper at the wrong location (see bug
#68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ).
It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the
scd is looking for it. This can be solved either by copying the file,
or with a symlink. This seems to have been fixed in feisty.
* Another was that the ssh-agent support is not enabled out of the box.
This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and
adding "--enable-ssh-support" in the appropriate place (around line 17).
*The final thing I needed to do was to install the package
libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so,
linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create
that symlink yourself. This also appears to have been fixed in feisty,
though you do still need libpcsclite1 (and pcscd).
-Alex Mauer "hawke"
From hawke at hawkesnest.net Wed Feb 7 23:47:26 2007
From: hawke at hawkesnest.net (Alex Mauer)
Date: Wed, 07 Feb 2007 16:47:26 -0600
Subject: OpenPGP card and secret keys
Message-ID:
I seem to be having some trouble with my openpgp card:
gnupg knows I have secret keys on an openpgp card:
$ gpg --list-secret-keys
/home/amauer/.gnupg/secring.gpg
-------------------------------
sec# 1024D/51192FF2 2002-03-22
ssb> 1024R/4A1C1224 2005-06-27
(output has been modified showing only what I think are relevant lines)
but then when I try to sign a file, gpg ignores these keys:
$ gpg --clearsign test.txt
gpg: secret key parts are not available
gpg: no default secret key: general error
gpg: test.txt: clearsign failed: general error
Even if I specify the signing subkey from the card, it doesn't work:
$ gpg --clearsign -u '0x4a1c1224' test.txt
gpg: secret key parts are not available
gpg: skipped "0x4a1c1224": general error
gpg: test.txt: clearsign failed: general error
If I force that subkey, it works:
$ gpg --clearsign -u '0x4a1c1224!' test.txt
$
(gpg agent popped up a pinentry dialog, and I was able to enter the PIN
on the pinpad)
What am I doing wrong?
-Alex Mauer "hawke"
From wk at gnupg.org Thu Feb 8 06:43:50 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 08 Feb 2007 06:43:50 +0100
Subject: OpenPGP card and secret keys
In-Reply-To: (Alex Mauer's message of "Wed\, 07
Feb 2007 16\:47\:26 -0600")
References:
Message-ID: <87odo5td9l.fsf@wheatstone.g10code.de>
On Wed, 7 Feb 2007 23:47, hawke at hawkesnest.net said:
> If I force that subkey, it works:
> $ gpg --clearsign -u '0x4a1c1224!' test.txt
Okay, so it is not a communication problem with teh card. Please run
gpg --debug 64 --clearsign test.txt
To see why gpg tries to use the primary key.
Salam-Shalom,
Werner
From r.post at sara.nl Thu Feb 8 09:21:41 2007
From: r.post at sara.nl (Remco Post)
Date: Thu, 08 Feb 2007 09:21:41 +0100
Subject: smartcard and ssh
In-Reply-To:
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl>
Message-ID: <45CADD95.3030007@sara.nl>
Alex Mauer wrote:
> Remco Post wrote:
>> hmmm, more problems. I've decided that the ubuntu packages are broken.
>> I'll try again in a new release or when I gain some more patience ;-)
>
> Have you looked for and/or reported the bugs you found?
>
> It works for me pretty much "out of the box" with ubuntu/feisty, less so
> with earlier releases.
>
> Here are the problems I found and what I had to do to fix them:
>
> * gnupg was trying to use pcsc-wrapper at the wrong location (see bug
> #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ).
> It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the
> scd is looking for it. This can be solved either by copying the file,
> or with a symlink. This seems to have been fixed in feisty.
>
ok, that's a nice one....
> * Another was that the ssh-agent support is not enabled out of the box.
> This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and
> adding "--enable-ssh-support" in the appropriate place (around line 17).
>
I've made a gpg-agent.conf file to the same effect.
> *The final thing I needed to do was to install the package
> libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so,
> linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create
> that symlink yourself. This also appears to have been fixed in feisty,
> though you do still need libpcsclite1 (and pcscd).
>
since normal gpg operations (signing) do work, this doesn't seem to be a
problem for me.
> -Alex Mauer "hawke"
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
From r.post at sara.nl Thu Feb 8 10:47:13 2007
From: r.post at sara.nl (Remco Post)
Date: Thu, 08 Feb 2007 10:47:13 +0100
Subject: smartcard and ssh
In-Reply-To:
References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl>
Message-ID: <45CAF1A1.6020203@sara.nl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex Mauer wrote:
> Remco Post wrote:
>> hmmm, more problems. I've decided that the ubuntu packages are broken.
>> I'll try again in a new release or when I gain some more patience ;-)
>
> Have you looked for and/or reported the bugs you found?
>
> It works for me pretty much "out of the box" with ubuntu/feisty, less so
> with earlier releases.
>
> Here are the problems I found and what I had to do to fix them:
>
> * gnupg was trying to use pcsc-wrapper at the wrong location (see bug
> #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ).
> It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the
> scd is looking for it. This can be solved either by copying the file,
> or with a symlink. This seems to have been fixed in feisty.
>
ok, installing gnupg2 and symlinking this file as well as the libpcslite
helped, thanks a lot!
> * Another was that the ssh-agent support is not enabled out of the box.
> This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and
> adding "--enable-ssh-support" in the appropriate place (around line 17).
>
> *The final thing I needed to do was to install the package
> libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so,
> linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create
> that symlink yourself. This also appears to have been fixed in feisty,
> though you do still need libpcsclite1 (and pcscd).
>
> -Alex Mauer "hawke"
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
- --
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRcrxnCrZkcVehrp5AQKo2wP9GNeFlAKXH1J6xCml/tCoap16xxqn8lEp
JZ99bwap7GpChuX0qEfHZT6KDK5GuVlJgJ8HzkOmERy/lXIw423bR/M1sWJH/DI2
NTeYiGZ0etS9yDGn6fGfHnLZLpN9djbEYTHCehNz7futl+oYFZxygzP6i8jPFsq3
PxqQf3E3rU4=
=GUgP
-----END PGP SIGNATURE-----
From ber at webschuur.com Thu Feb 8 13:03:05 2007
From: ber at webschuur.com (=?iso-8859-1?q?B=E8r_Kessels?=)
Date: Thu, 8 Feb 2007 13:03:05 +0100
Subject: Keyrings for websites
Message-ID: <200702081303.09540.ber@webschuur.com>
Hello,
With the current growth of online services that talk to eachother (the web2.0)
I thought it a good idea to think about a way to determine "trust" between
the sites.
If my site shares its spam tokens, comments, search results, tags and pictures
(etc) with a cloud of sites, it could be a good idea to establish a
trust-ring.
I therefore thought it an interesting idea to make keys not just for people,
but for a website. That way I can sign public keys from other sites and give
them a trust weight. That way one can establish a web of trust between sites.
A good way to make sure spammers don't get inbetween your comments, for
example. By allowing so called trackbacks from trusted sites only, one can
reduce the amount of spam greatly. By sending my tags to trusted sites only,
I can make sure that not some malafide "content thief" runs off with my
valuable content, yet still share it.
It is still an idea. And no code is made yet. But I am heavy into Drupal (been
full time developer for it for over 4 years), and I can introduce this
concept there, then hope it takes off into wordpress, plone and other Open
Source, or Closed source CMses.
All I need is some general idea wether or not this will a) work at all and b)
is possible with gnupg, and c) if it would not 'threaten' gnug too much.
thanks for reading,
B?r
--
Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting:
www.sympal.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070208/7d647a3f/attachment.pgp
From jbruni at mac.com Thu Feb 8 15:36:37 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Thu, 8 Feb 2007 07:36:37 -0700
Subject: Keyrings for websites
In-Reply-To: <200702081303.09540.ber@webschuur.com>
References: <200702081303.09540.ber@webschuur.com>
Message-ID:
You might want to check out "Domain Keys" which is used to
authenticate email sessions between MTA's.
Also, peer-to-peer authentication can be accomplished via X.509
certificates and SSL.
Joe
On Feb 8, 2007, at 5:03 AM, B?r Kessels wrote:
> Hello,
>
> With the current growth of online services that talk to eachother
> (the web2.0)
> I thought it a good idea to think about a way to determine "trust"
> between
> the sites.
> ...
> B?r
> --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070208/4d8a1abb/attachment.bin
From markybob at gmail.com Thu Feb 8 10:59:26 2007
From: markybob at gmail.com (Mark Pinto)
Date: Thu, 8 Feb 2007 04:59:26 -0500
Subject: gen-key non-interactively
Message-ID: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
I'm wanting to pass all of the information that gpg needs to create a
key (key size, type, expiration, userid, etc) initially and not have
gpg keep pausing to ask the user. I've read the man page, read gpg
--help, googled, and I still cant figure out how to pass those things
to gpg while using --gen-key. Any help would be *greatly*
appreciated.
Thank you,
Mark Pinto
From schneecrash+gnupg-users at gmail.com Thu Feb 8 16:44:02 2007
From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users)
Date: Thu, 8 Feb 2007 07:44:02 -0800
Subject: gen-key non-interactively
In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
Message-ID: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com>
here's an "expect"-based function i use in a bash script for just such purpose,
# function: "DO_GENKEY_SESSION"
# auto-execute a GPG --gen-key session
# usage:
# DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT
# gen-key dialog options (SELECTION):
# Please select what kind of key you want:
# (1) DSA and Elgamal (default)
# (2) DSA (sign only)
# (3) DSA (set your own capabilities)
# (5) RSA (sign only)
# (7) RSA (set your own capabilities)
DO_GENKEY_SESSION () {
echo "START: $COMMENT"
VAR=$($EXPECT -c "
spawn $GPG $GPG_RING_OPTS --expert --cert-notation $NOTATION --gen-key
set timeout -1
stty -echo
expect \"Your selection? \"
exp_send \"$1\n\"
expect -re \"(What keysize do you want\?).*\\\\(\[0-9\]*\\\\) \"
exp_send \"$BITS\n\"
expect \"Key is valid for? (0) \"
exp_send \"0\n\"
expect \"Is this correct? (y/N) \"
exp_send \"y\n\"
expect \"Real name: \"
exp_send \"$NAME_REAL\n\"
expect \"Email address: \"
exp_send \"$EMAIL\n\"
expect \"Comment: \"
exp_send \"$SIG_COMMENT\n\"
expect \"(O)kay/(Q)uit? \"
exp_send \"O\n\"
expect \"Enter passphrase: \"
exp_send \"$PASS\n\"
expect \"Repeat passphrase: \"
exp_send \"$PASS\n\"
expect exp_continue -continue_timer
")
echo " DONE"
}
of course, you define/pass/replace the various vars as you need/like ...
hth!
From dshaw at jabberwocky.com Thu Feb 8 17:08:36 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 8 Feb 2007 11:08:36 -0500
Subject: gen-key non-interactively
In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
Message-ID: <20070208160836.GA22488@jabberwocky.com>
On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote:
> I'm wanting to pass all of the information that gpg needs to create a
> key (key size, type, expiration, userid, etc) initially and not have
> gpg keep pausing to ask the user. I've read the man page, read gpg
> --help, googled, and I still cant figure out how to pass those things
> to gpg while using --gen-key. Any help would be *greatly*
> appreciated.
Make a file that looks like this:
%echo Generating a standard key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Joe Tester
Name-Email: joe at foo.bar
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
Then do:
gpg --batch --gen-key /path/to/the/file/above
End result will be a public key in foo.pub and secret key in foo.sec.
See the DETAILS file (in the doc directory) for the various things you
can do.
David
From wk at gnupg.org Thu Feb 8 17:13:13 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 08 Feb 2007 17:13:13 +0100
Subject: gen-key non-interactively
In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
(Mark Pinto's message of "Thu\, 8 Feb 2007 04\:59\:26 -0500")
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
Message-ID: <871wl0pqzq.fsf@wheatstone.g10code.de>
On Thu, 8 Feb 2007 10:59, markybob at gmail.com said:
> I'm wanting to pass all of the information that gpg needs to create a
> key (key size, type, expiration, userid, etc) initially and not have
> gpg keep pausing to ask the user. I've read the man page, read gpg
> --help, googled, and I still cant figure out how to pass those things
> to gpg while using --gen-key. Any help would be *greatly*
Check out the the file DETAILS. It should explain everything. I have
copied the section below.
Shalom-Salam,
Werner
Unattended key generation
=========================
This feature allows unattended generation of keys controlled by a
parameter file. To use this feature, you use --gen-key together with
--batch and feed the parameters either from stdin or from a file given
on the commandline.
The format of this file is as follows:
o Text only, line length is limited to about 1000 chars.
o You must use UTF-8 encoding to specify non-ascii characters.
o Empty lines are ignored.
o Leading and trailing spaces are ignored.
o A hash sign as the first non white space character indicates a comment line.
o Control statements are indicated by a leading percent sign, the
arguments are separated by white space from the keyword.
o Parameters are specified by a keyword, followed by a colon. Arguments
are separated by white space.
o The first parameter must be "Key-Type", control statements
may be placed anywhere.
o Key generation takes place when either the end of the parameter file
is reached, the next "Key-Type" parameter is encountered or at the
control statement "%commit"
o Control statements:
%echo
Print .
%dry-run
Suppress actual key generation (useful for syntax checking).
%commit
Perform the key generation. An implicit commit is done
at the next "Key-Type" parameter.
%pubring
%secring
Do not write the key to the default or commandline given
keyring but to . This must be given before the first
commit to take place, duplicate specification of the same filename
is ignored, the last filename before a commit is used.
The filename is used until a new filename is used (at commit points)
and all keys are written to that file. If a new filename is given,
this file is created (and overwrites an existing one).
Both control statements must be given.
o The order of the parameters does not matter except for "Key-Type"
which must be the first parameter. The parameters are only for the
generated keyblock and parameters from previous key generations are not
used. Some syntactically checks may be performed.
The currently defined parameters are:
Key-Type: |
Starts a new parameter block by giving the type of the
primary key. The algorithm must be capable of signing.
This is a required parameter.
Key-Length:
Length of the key in bits. Default is 1024.
Key-Usage:
Space or comma delimited list of key usage, allowed values are
"encrypt", "sign", and "auth". This is used to generate the
key flags. Please make sure that the algorithm is capable of
this usage. Note that OpenPGP requires that all primary keys
are capable of certification, so no matter what usage is given
here, the "cert" flag will be on. If no Key-Usage is
specified, all the allowed usages for that particular
algorithm are used.
Subkey-Type: |
This generates a secondary key. Currently only one subkey
can be handled.
Subkey-Length:
Length of the subkey in bits. Default is 1024.
Subkey-Usage:
Similar to Key-Usage.
Passphrase:
If you want to specify a passphrase for the secret key,
enter it here. Default is not to use any passphrase.
Name-Real:
Name-Comment:
Name-Email:
The 3 parts of a key. Remember to use UTF-8 here.
If you don't give any of them, no user ID is created.
Expire-Date: |([d|w|m|y])
Set the expiration date for the key (and the subkey). It
may either be entered in ISO date format (2000-08-15) or as
number of days, weeks, month or years. Without a letter days
are assumed.
Preferences:
Set the cipher, hash, and compression preference values for
this key. This expects the same type of string as "setpref"
in the --edit menu.
Revoker: : [sensitive]
Add a designated revoker to the generated key. Algo is the
public key algorithm of the designated revoker (i.e. RSA=1,
DSA=17, etc.) Fpr is the fingerprint of the designated
revoker. The optional "sensitive" flag marks the designated
revoker as sensitive information. Only v4 keys may be
designated revokers.
Handle:
This is an optional parameter only used with the status lines
KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100
characters and should not contain spaces. It is useful for
batch key generation to associate a key parameter block with a
status line.
Keyserver:
This is an optional parameter that specifies the preferred
keyserver URL for the key.
Here is an example:
$ cat >foo <
ssb 1024g/8F70E2C0 2000-03-09
From ber at webschuur.com Thu Feb 8 17:32:30 2007
From: ber at webschuur.com (=?utf-8?q?B=C3=A8r_Kessels?=)
Date: Thu, 8 Feb 2007 17:32:30 +0100
Subject: Keyrings for websites
In-Reply-To:
References: <200702081303.09540.ber@webschuur.com>
Message-ID: <200702081732.31135.ber@webschuur.com>
Hello,
Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni:
> You might want to check out "Domain Keys" which is used to ?
> authenticate email sessions between MTA's.
>
> Also, peer-to-peer authentication can be accomplished via X.509 ?
> certificates and SSL.
Ye, I am aware of the X.509 to authenticate servers. Also I know my way around
in the SSL "stuff". This, however, is a different thing then what I want to
achieve. I am not so much interested in secure connections, nor in
authentication, between peers.
What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com
ultimately. Since you trust me, you can trust Bar.com too'. That way one can
allow sign-ins from other trusted sites, trackbacs etc.
Thanks for the feedback, though.
B?r
--
Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting:
www.sympal.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070208/ff852ca0/attachment-0001.pgp
From anon-bounces at deuxpi.ca Thu Feb 8 14:43:46 2007
From: anon-bounces at deuxpi.ca (Anonyma)
Date: Thu, 8 Feb 2007 08:43:46 -0500 (EST)
Subject: making a passphrase by doubling a password and tweaking the end
Message-ID:
(This is as much about ssh as gpg, but I figure there should be some
passphrase expertise here.)
Suppose my shell password is "SapNilph4" (I just got that from APG),
is it stupid to make a passphrase for an ssh or gpg key by doubling it
and changing the end, for example "SapNilph4SapNilph3"? Or am I
really wasting potential entropy this way?
thanks
From dshaw at jabberwocky.com Thu Feb 8 17:10:02 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 8 Feb 2007 11:10:02 -0500
Subject: gen-key non-interactively
In-Reply-To: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com>
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
<70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com>
Message-ID: <20070208161002.GB22488@jabberwocky.com>
On Thu, Feb 08, 2007 at 07:44:02AM -0800, snowcrash+gnupg-users wrote:
> here's an "expect"-based function i use in a bash script for just such purpose,
>
> # function: "DO_GENKEY_SESSION"
> # auto-execute a GPG --gen-key session
> # usage:
> # DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT
> # gen-key dialog options (SELECTION):
> # Please select what kind of key you want:
> # (1) DSA and Elgamal (default)
> # (2) DSA (sign only)
> # (3) DSA (set your own capabilities)
> # (5) RSA (sign only)
> # (7) RSA (set your own capabilities)
> DO_GENKEY_SESSION () {
> echo "START: $COMMENT"
> VAR=$($EXPECT -c "
I strongly advise against using expect to generate keys. Your expect
script will break when we change the text that GPG displays. If you
want to generate keys unattended, then use the --batch --gen-key
interface.
David
From rjh at sixdemonbag.org Thu Feb 8 18:07:58 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Feb 2007 11:07:58 -0600
Subject: making a passphrase by doubling a password and tweaking the end
In-Reply-To:
References:
Message-ID: <3555FBDB-5298-4E4A-B5DD-D57B1FEFEA3D@sixdemonbag.org>
> Suppose my shell password is "SapNilph4" (I just got that from APG),
> is it stupid to make a passphrase for an ssh or gpg key by doubling it
> and changing the end, for example "SapNilph4SapNilph3"? Or am I
> really wasting potential entropy this way?
Stupid? No. May not be especially wise, though. GnuPG passphrases,
like root login passwords, are very high-value secrets. You should
plan for them to be compromised at some point. If your root login
gets compromised and your GnuPG passphrase is derivable from your
root login, then you've got two high-value secrets compromised. Vice-
versa is the same way.
So while no, you're not wasting entropy, this may not be wise due to
how it complicates your failsafe plans.
From schneecrash+gnupg-users at gmail.com Thu Feb 8 18:14:19 2007
From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users)
Date: Thu, 8 Feb 2007 09:14:19 -0800
Subject: gen-key non-interactively
In-Reply-To: <20070208161002.GB22488@jabberwocky.com>
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
<70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com>
<20070208161002.GB22488@jabberwocky.com>
Message-ID: <70f41ba20702080914s6927c25bq910476c36ef997bd@mail.gmail.com>
> I strongly advise against using expect to generate keys. Your expect
> script will break when we change the text that GPG displays. If you
> want to generate keys unattended, then use the --batch --gen-key
> interface.
i clearly understand that, and will manage my script(s) accordingly.
thanks. :-)
fwiw, the snippet i attached is a part of a larger, expect-based
script i use to roll-out gpg "key packages" to new employees. as
'batch' support is only, currently provided (afaict ...) for gen-key,
i simply use expect (even though i think it's a major pita!) to be
consistent across all my other script functions.
atm, there's no other convenient full-autommation option that i'm
aware of; and, again, yes, i know it's 'upgrade fragile'.
thanks.
From hawke at hawkesnest.net Thu Feb 8 18:22:02 2007
From: hawke at hawkesnest.net (Alex Mauer)
Date: Thu, 08 Feb 2007 11:22:02 -0600
Subject: OpenPGP card and secret keys
In-Reply-To: <87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de>
References:
<87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de>
Message-ID:
Werner Koch wrote:
> Okay, so it is not a communication problem with teh card. Please run
>
> gpg --debug 64 --clearsign test.txt
>
> To see why gpg tries to use the primary key.
aha! it does not. It's trying to use a different subkey instead.
Surely missing secret key parts would be cause to reject that subkey as
a candidate for use, and just because secret parts are missing for one
subkey doesn't mean they're missing for all subkeys, right?
$ gpg --debug 64 --clearsign test.txt
gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=0)
gpg: DBG: using key 51192FF2
gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=1)
gpg: DBG: checking subkey 4A1C1224
gpg: DBG: subkey looks fine
gpg: DBG: checking subkey F4878DDE
gpg: DBG: usage does not match: want=1 have=2
gpg: DBG: checking subkey 9A37EEFF
gpg: DBG: subkey looks fine
gpg: DBG: using key 9A37EEFF
gpg: DBG: cache_user_id: already in cache
gpg: secret key parts are not available
gpg: no default secret key: general error
gpg: test.txt: clearsign failed: general error
secmem usage: 1408/3488 bytes in 2/15 blocks of pool 3488/32768
From roam at ringlet.net Thu Feb 8 16:51:03 2007
From: roam at ringlet.net (Peter Pentchev)
Date: Thu, 8 Feb 2007 17:51:03 +0200
Subject: gen-key non-interactively
In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
Message-ID: <20070208155103.GB1621@straylight.m.ringlet.net>
On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote:
> I'm wanting to pass all of the information that gpg needs to create a
> key (key size, type, expiration, userid, etc) initially and not have
> gpg keep pausing to ask the user. I've read the man page, read gpg
> --help, googled, and I still cant figure out how to pass those things
> to gpg while using --gen-key. Any help would be *greatly*
> appreciated.
If you are trying to do this as part of a bigger program, you might
want to check out the gpgme and libgcrypt libraries.
Otherwise, the gnupg manual page mentions an experimental method for
using --gen-key non-interactively, which is described in the DETAILS
file in the doc/ subdirectory of the gnupg source archive. Thus, you
need to download the gnupg source (either 1.4.x or 2.0.x, depending on
which version you're using anyway), read the doc/DETAILS file, and see
if the method described there works for you. I just tried it with
GnuPG 1.4.6, and it worked just fine here.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20070208/0a3372dc/attachment.pgp
From roam at ringlet.net Thu Feb 8 16:01:30 2007
From: roam at ringlet.net (Peter Pentchev)
Date: Thu, 8 Feb 2007 17:01:30 +0200
Subject: Keyrings for websites
In-Reply-To: <200702081303.09540.ber@webschuur.com>
References: <200702081303.09540.ber@webschuur.com>
Message-ID: <20070208150130.GA1621@straylight.m.ringlet.net>
On Thu, Feb 08, 2007 at 01:03:05PM +0100, B?r Kessels wrote:
> Hello,
>
> With the current growth of online services that talk to eachother (the
> web2.0) I thought it a good idea to think about a way to determine
> "trust" between the sites.
>
> If my site shares its spam tokens, comments, search results, tags and
> pictures (etc) with a cloud of sites, it could be a good idea to
> establish a trust-ring.
>
> I therefore thought it an interesting idea to make keys not just for
> people, but for a website. That way I can sign public keys from other
> sites and give them a trust weight.
[snip]
>
> It is still an idea. And no code is made yet. But I am heavy into
> Drupal (been full time developer for it for over 4 years), and I can
> introduce this concept there, then hope it takes off into wordpress,
> plone and other Open Source, or Closed source CMses.
>
> All I need is some general idea wether or not this will a) work at all
> and b) is possible with gnupg, and c) if it would not 'threaten' gnug
> too much.
It ought to be both possible and trivial.
ISTR several discussions on this mailing list, where people mentioned
using PGP keys (or rather, uid's) with only names, no e-mail addresses.
You could either use such keys with the hostname (or the full path to
the web application) placed directly in the "name" part of the user ID,
or develop some kind of machine-readable encoding to represent a host
name, application path, application name, or any level of detail you
feel comfortable with, and then place those in the "name" or the
"comment" part of the key's user ID. After that, proceed as usual -
sign the user-ID with the key itself (GnuPG should do that as part of
the key generation anyway), sign it with your own key, and send the
public key to the others. They should generate keys for their web apps
too, sign them with their own (developers') keys, and send them to you.
Then each of you establishes his own trustdb, places trust in (some of)
the developers' keys, and off you go.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20070208/72ecdc95/attachment.pgp
From alex at bofh.net.pl Thu Feb 8 17:49:11 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Thu, 8 Feb 2007 17:49:11 +0100
Subject: Keyrings for websites
In-Reply-To: <200702081732.31135.ber@webschuur.com>
References: <200702081303.09540.ber@webschuur.com>
<200702081732.31135.ber@webschuur.com>
Message-ID: <20070208164911.GG11476@hell.pl>
On Thu, Feb 08, 2007 at 05:32:30PM +0100, B??r Kessels wrote:
> Hello,
>
> Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni:
> > You might want to check out "Domain Keys" which is used to ?
> > authenticate email sessions between MTA's.
> >
> > Also, peer-to-peer authentication can be accomplished via X.509 ?
> > certificates and SSL.
>
> Ye, I am aware of the X.509 to authenticate servers. Also I know my way around
> in the SSL "stuff". This, however, is a different thing then what I want to
> achieve. I am not so much interested in secure connections, nor in
> authentication, between peers.
>
> What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com
> ultimately. Since you trust me, you can trust Bar.com too'. That way one can
> allow sign-ins from other trusted sites, trackbacs etc.
>
> Thanks for the feedback, though.
Check out OpenID, although it is not cryptography based (AFAIK).
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From hawke at hawkesnest.net Thu Feb 8 20:10:00 2007
From: hawke at hawkesnest.net (Alex Mauer)
Date: Thu, 08 Feb 2007 13:10:00 -0600
Subject: Keyrings for websites
In-Reply-To: <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net>
References: <200702081303.09540.ber@webschuur.com>
<20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net>
Message-ID:
Peter Pentchev wrote:
> using PGP keys (or rather, uid's) with only names, no e-mail addresses.
> You could either use such keys with the hostname (or the full path to
> the web application) placed directly in the "name" part of the user ID,
> or develop some kind of machine-readable encoding to represent a host
> name, application path, application name, or any level of detail you
> feel comfortable with, and then place those in the "name" or the
> "comment" part of the key's user ID. After that, proceed as usual -
This sort of overloading of the name/comment/email fields bothers me. I
wish that UIDs were more of a key/value system (one key/value pair per
IUID), e.g. name=William Surrey, email=bill at home.example.org,
email=william.surrey at business.example.com, comment=Billy's key,
alias=Bill; or name=Example's awesome wiki!, hostname=www.example.org,
application=mediawiki (for the purpose given above). I'm thinking
something equivalent to what vorbis comments are for ogg vorbis audio
files. See http://xiph.org/vorbis/doc/v-comment.html
Of course, I doubt that the OpenPGP spec allows for this sort of
extensibility in the comments, or if it does that anyone's willing to
implement it (or it would have been done by now). But it sure would be
great if it were to happen.
From newsgroups at thomas-huehn.de Thu Feb 8 20:24:37 2007
From: newsgroups at thomas-huehn.de (=?iso-8859-1?Q?Thomas_H=FChn?=)
Date: Thu, 08 Feb 2007 20:24:37 +0100
Subject: Keyrings for websites
References: <200702081303.09540.ber@webschuur.com>
<20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net>
Message-ID: <87d54kpi4q.fsf@mid.thomas-huehn.de>
Alex Mauer writes:
> This sort of overloading of the name/comment/email fields bothers me. I
> wish that UIDs were more of a key/value system (one key/value pair per
As far as I understand it there are no such fields. User ID is freeform,
just a string.
So feel free to put in "Key: Value" or whatever you'd like to.
Thomas
From wk at gnupg.org Thu Feb 8 20:28:55 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 08 Feb 2007 20:28:55 +0100
Subject: gen-key non-interactively
In-Reply-To: <20070208155103.GB1621@straylight.m.ringlet.net> (Peter
Pentchev's message of "Thu\, 8 Feb 2007 17\:51\:03 +0200")
References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com>
<20070208155103.GB1621@straylight.m.ringlet.net>
Message-ID: <87veicla88.fsf@wheatstone.g10code.de>
On Thu, 8 Feb 2007 16:51, roam at ringlet.net said:
> Otherwise, the gnupg manual page mentions an experimental method for
BTW, I forgot to remove the "experimental" tag. That is a stable
feature and useful for production.
Salam-Shalom,
Werner
From wk at gnupg.org Thu Feb 8 20:44:00 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 08 Feb 2007 20:44:00 +0100
Subject: Keyrings for websites
In-Reply-To: (Alex Mauer's message of "Thu\, 08
Feb 2007 13\:10\:00 -0600")
References: <200702081303.09540.ber@webschuur.com>
<20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net>
Message-ID: <87d54kl9j3.fsf@wheatstone.g10code.de>
On Thu, 8 Feb 2007 20:10, hawke at hawkesnest.net said:
> wish that UIDs were more of a key/value system (one key/value pair per
You may use notations for this. They are however stored with the
self-signature, so some care needs to be taken.
If you need something simialr to the user ID, use the User Attribute
Packet (Tag 17). It is currently only used for the photo ID but it
may be extended. From the latest OpenPGP I-D:
The User Attribute packet is a variation of the User ID packet. It
is capable of storing more types of data than the User ID packet
which is limited to text. Like the User ID packet, a User Attribute
packet may be certified by the key owner ("self-signed") or any
other key owner who cares to certify it. Except as noted, a User
Attribute packet may be used anywhere that a User ID packet may be
used.
While User Attribute packets are not a required part of the OpenPGP
standard, implementations SHOULD provide at least enough
compatibility to properly handle a certification signature on the
User Attribute packet. A simple way to do this is by treating the
User Attribute packet as a User ID packet with opaque contents, but
an implementation may use any method desired.
The User Attribute packet is made up of one or more attribute
subpackets. Each subpacket consists of a subpacket header and a
body. The header consists of:
- the subpacket length (1, 2, or 5 octets)
- the subpacket type (1 octet)
and is followed by the subpacket specific data.
The only currently defined subpacket type is 1, signifying an image.
An implementation SHOULD ignore any subpacket of a type that it does
not recognize. Subpacket types 100 through 110 are reserved for
private or experimental use.
Salam-Shalom,
Werner
From j.lysdal at gmail.com Thu Feb 8 21:24:17 2007
From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=)
Date: Thu, 08 Feb 2007 21:24:17 +0100
Subject: GnuPG on MS Vista
Message-ID: <45CB86F1.7000607@gmail.com>
Hi, it appears to be impossible to connect to any keyservers
through gpg on my newly installed Vista box. I have disabled
UAC and im running as admin, so that should not be the cause
of any problems.
Whenever i try to get something from a keyserver i get:
gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de
gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de
gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
All the keyservers i have tried works well when using their
web interface. Does anyone know how to solve this problem?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 368 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070208/2f93c123/attachment.pgp
From hhhobbit at securemecca.net Thu Feb 8 21:37:29 2007
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Thu, 08 Feb 2007 13:37:29 -0700
Subject: New command line language parameter
In-Reply-To:
References:
Message-ID: <45CB8A09.7090004@securemecca.net>
Werner Koch said:
> On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said:
>
>
>>I tried the SET LANG=xx and as far as i read in the GPG documentation
>>and mailing list's posts, this is only for POSIX systems, not for
>>windows, at least in windows doesn't work in all the ways i tried.
>
>
> You are right. It works for GPA but not for GPG because with gpg we
> use a simplified version of gettext. This is easy to fix.
>
>
>>I'm afraid the only way to use a language file in windows is the
>>registry or a new command line parameter.
>
>
> No. A command line option won't work because how would you then print
> a localized message like "invalid option" or diagnostics printed even
> before any option has been parsed.
Now be patient here for a moment. All of the following IS related to
running GnuPG on Windows! To lead it all off, if you are running as
an Administrator user all the time on Windows you are doing the
equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The
present Windows GnuPG 1.4.X installs assume people do this. Most
of them probably do run their Windows system this way, but that
doesn't make it the only way, and I believe it is NOT THE RIGHT
WAY! Microsoft isn't helping them do it properly either.
NOW HAVING SAID WHAT I JUST SAID, IF YOU ARE *NOT* A MICROSOFT
WINDOWS USER DELETE THIS MESSAGE AND MOVE ON! TRUST ME! You
are wasting your time reading unless you use Microsoft Windows
either ALL or a substantial amount of the time. You will just
get confused until you understand how Microsoft Windows works.
Even a lot of full-time Microsoft Windows users don't know how
it works. I should know. I help them all the time and am
apalled at how little they know about a system they have used
for years. Some of them I have given up on them EVER understanding
their systems.
Where is the URL on setting these language settings in the HKCU
registry keys? I am getting ready to put a lot of this stuff up
on web pages. I already have a ZIP file with SOME of what is
needed in it. I will have a web page or a set of web pages that
will be devoted strictly to GnuPG (1.4.x) on Windows. I WILL
provide REG files for what some people think in this forum are
strange situations. I suppose this could be one of them. I
posted an actual REG file in this forum and somebody didn't even
see the REG4 at the top of it and said I should provide the actual
REG file. I DID provide the actual REG file! All they had to do
was to copy and paste, AND THEN ALTER SOME VARIABLES. You cannot
use ENVIRONMENT variables in a REG file since they are part of
the registry anyway. But this forum is NOT the right place to do
it. What I posted was partially wrong anyway.
It had the HKLM entries which I will either let the install do, or
provide an HKLM.reg file. What is needed for most people are the
HKCU keys for each Windows user that is running as a restricted
user. You can fix the code if you want to Werner, but the proper
way for a lot of this stuff on Windows is to put it into the
registry. Even the ENVIRONMENT variables are stored in, you
guessed it - THE REGISTRY! They are in the HKLM hive
for the ones in the lower everybody panel and in the HKCU area
for the ones in the uppger panel if you use the Control Panel
method to look at the environment variables.
There are several other things going along with this like the fact that
without using higher order registry editing tools (not regedit) you
can't normally dive into anybody else's HKCU hive. You normally only
see your own (the one belonging to who you logged in as). Reading and
adding or modifying somebody else's HKCU entries is possible but I
consider that more esoteric than just providing somebody with a REG
file and telling them to modify it. I am looking at writing a program
that will actually create the REG file for them (yes, overkill, but
it saves people from typing mistakes). What is being provided in the
GnuPG install is only suitable for idiots who run as an Administrator,
all the time with only one account on the system and that one is an
Administrator account (you need at least one). They can keep their
account as an Administrator and install the Drop My Rights program
(which I give to everybody because that is usually more than they
can do even if I provide them *.lnk files to paste onto the desktop
and in the Start folders which even then they seem to muck up):
http://tinyurl.com/3u46a
That is unsuitable because likely or not somebody is going to message
the default browser which is running in admin space and can thus
modify the HKLM keys and all the files in the %WinDir% folder and all
sub-folders. Even if the browser is messaged into running with lower
privileges via DropMyRights.exe, a RealPlayer or Windows Media Player
is messaged into running as the logged in user. Windows dows NOT fork
off the App like Unix systems do. Nevertheless, that is what I used
for years on Administrator accounts for my logon type administrator
accounts. There IS a better Windows way of doing it - the LUA method.
I recommend this way of doing it in home situations:
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx
That is a MUCH better way of doing it in home or other situations
where you control access to the computer. You are now protecting
your HKLM keys and your %WinDir% folder. That is the reason I was
arguing for putting the iconv.dll file over in the %WinDir% folder.
Now you CAN do an attrib +s on the file where it is at but I have
no guarantees that will keep it safe. You should do an attrib +s
on all your files in the %ProgramFiles% area anyway, unless you
don't consider GnuPG a security product. I just happen to believe
it is a security product. But it is only ONE piece of securing
Windows systems.
One of the things that has occurred to me is to ask the question
"can I make GnuPG say a signed message is okay whether it is or
not?" By that I mean, can I by changing just the message strings
of GnuPG make all signed messages show up as okay? If you don't
think that if GnuPG takes off like mad on Windows and that you
don't have that situation covered that it won't happen, you better
think again. I spend a LOT of time finding out how people subvert
Windows systems. That is because it is done so much. That is
probably more of a flame against Windows users who run their
systems in a stupid manner than a slam against Microsoft, although
Microsoft doesn't help very much. They need to look very seriously
at making it possible for users to login as restricted users and
still have anti-virus programs do their updating, firewalls to
lock the network connections when they walk away, etc. That is
OUTSIDE THE SCOPE OF THIS NEWSGROUP. Doing a proper install of
GnuPG on Windows IS a part of this newsgroup.
If any of you have information of running GnuPG in a Windows
environment with some other way of doing it other than as always
one user with an Administrator account ship it to me. And do NOT
ask me to install CygWin. If I want to run a Nix I shift to
running Fedora Core Linux which I use over 85% of the time.
That does NOT mean I am not a very knowledgeable Windows user.
I am VERY good at understanding it.
On the other hand if you want to flame me and say I am stupid,
or that I need lessons in writing, or that all I am doing is
spamming like a University Computer Science Professor recently
said I was doing (I believe he was the department chair), then
HIT THE DELETE BUTTON instead. But please stop being arrogant
unless you really know more about Windows than I do. If you
have information for setting up GnuPG for WINDOWS users that
run their systems as safely as possible (GnuPG is only one
piece of that puzzle), then send it to me. But do it out of
group please. I don't think it is of much general interest.
>From now on I will just write a simple - check this page out
and paste the the URL in it, mostly OUT of newsgroup in
private email messages.
Thanks
HHH
From dshaw at jabberwocky.com Thu Feb 8 21:45:32 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 8 Feb 2007 15:45:32 -0500
Subject: GnuPG on MS Vista
In-Reply-To: <45CB86F1.7000607@gmail.com>
References: <45CB86F1.7000607@gmail.com>
Message-ID: <20070208204532.GA23127@jabberwocky.com>
On Thu, Feb 08, 2007 at 09:24:17PM +0100, J?rgen Lysdal wrote:
> Hi, it appears to be impossible to connect to any keyservers
> through gpg on my newly installed Vista box. I have disabled
> UAC and im running as admin, so that should not be the cause
> of any problems.
>
> Whenever i try to get something from a keyserver i get:
>
> gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de
> gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de
> gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
>
> All the keyservers i have tried works well when using their
> web interface. Does anyone know how to solve this problem?
Can you do the request, but add
--debug 1024 --keyserver-options "use-temp-files keep-temp-files"
There will be a line that says something like "DBG: Using temp file
such-and-such". Send me the tempin.txt and tempout.txt file.
David
From rjh at sixdemonbag.org Thu Feb 8 21:58:16 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Feb 2007 14:58:16 -0600
Subject: GnuPG on MS Vista
In-Reply-To: <20070208204532.GA23127@jabberwocky.com>
References: <45CB86F1.7000607@gmail.com>
<20070208204532.GA23127@jabberwocky.com>
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> There will be a line that says something like "DBG: Using temp file
> such-and-such". Send me the tempin.txt and tempout.txt file.
David--
Vista has radically changed the process of compiling code for the
platform. Neither MinGW nor Cygwin GCC work under Vista without
substantial kludges and workarounds; Microsoft recommends against
VS.NET and VS2003; VS2005 is only supported with the latest service
pack and some known issues. GnuPG will not build with VS2005 without
some major overhauls to the build environment.
While I know that generally the Windows build system involves Linux
and a cross-compiler for Win32, it's very possible behind-the-scenes
changes in Vista will lead to breakage. It may be worth considering
telling people that Vista is an unsupported OS for GnuPG 1.4.x.
(goes back to hacking CMake and VS2005's command-line compiler)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJFy47oAAoJELcA9IL+r4EJeqAH/0Vdb98seQf6gtE8HQLoilgz
l/FaqsxYT1yoq+2rbUcrGyMfBXkeXZMgK31DbEEIapdGSNtwgts0KuIlI7d2y542
IVfe1orchdUtbCJYDAimKufsOlAAl9bqz0gFKvR9VXW+S/YKBMvMjwzxlmSXjZsp
6FkJhPsVDkWWVYinUu8IYHYRp4FdxSQIz5Y4+m2X1SKwLQTTSukGj1QF9x7XTewT
ZO75khQLDT5tbQZM0hvCM90jCWhQb7viw9N1NVsI6RkjOwvv3qRFeavHme/6KDlB
th884fOga/7K0GNmTqNFdkvV2FK8GDf7LNkeXkNZiQBrd5srKAve7VmdSmkfXkg=
=Zs3+
-----END PGP SIGNATURE-----
From j.lysdal at gmail.com Thu Feb 8 22:09:41 2007
From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=)
Date: Thu, 08 Feb 2007 22:09:41 +0100
Subject: GnuPG on MS Vista
In-Reply-To:
References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com>
Message-ID: <45CB9195.40304@gmail.com>
Robert J. Hansen skrev:
> It may be worth considering
> telling people that Vista is an unsupported OS for GnuPG 1.4.x.
But will it be supported in any near future?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 368 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070208/afa35aa0/attachment.pgp
From rjh at sixdemonbag.org Thu Feb 8 23:02:10 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Feb 2007 16:02:10 -0600
Subject: GnuPG on MS Vista
In-Reply-To: <45CB9195.40304@gmail.com>
References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com>
<45CB9195.40304@gmail.com>
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> But will it be supported in any near future?
That's up to the GnuPG developers, and whether they have any Vista
boxes available to do regression testing on. They may have already
tested it against Vista; I don't know.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJFy53iAAoJELcA9IL+r4EJQaAH/1lDIIFrnuHMIKidli6PDD0q
+lDHObUHNlAaYOwQinui+O4lyZT2NohRW/ADmtZCw3/qb3H9yhfslQJGuM+8Fqs/
WEjQIbVnVajK6mW5XRE2935YObq8pQKejpcvNS7Bf9sIvj/rQTy9gIzdPYQw/pdM
aBpwzTAVyITFWVPZLnokHgudBMZ4d+kuWB9SKrQ84hpAdTUPbmuRlK1Mq7yttMAX
osXMOUWhwcP8v0O2NIGgfGwSQrVtezMbdGH10Ezs8DqtKq5mTnSp7BOkWjMpBZsm
UMR13AqN8OqPUxeuLHmyzWxdJ8lm8D7of3rMVEtvteGCOqhvgs588j6DNUNub9s=
=yLXD
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Thu Feb 8 23:37:05 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Feb 2007 16:37:05 -0600
Subject: New command line language parameter
In-Reply-To: <45CB8A09.7090004@securemecca.net>
References:
<45CB8A09.7090004@securemecca.net>
Message-ID: <55C09D1F-B0D1-49DF-89E8-922BE1CEC491@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> The present Windows GnuPG 1.4.X installs assume people [run
> as Administrator].
The installer requires Administrator rights to install to the program
files directory, just like every other Win32 program that wants to
install there. Once installed, GnuPG does not require Administrator
rights to run.
> All they had to do was to copy and paste, AND THEN ALTER
> SOME VARIABLES.
This is unwise from a security perspective. Messing up a registry
file can have terrible consequences. If you're advocating that
people make edits to a registry file without understanding the
registry, what they're looking at, what they're changing, etcetera,
then disaster is waiting in the wings.
Regular users should not edit the Windows registry. Ever.
> There are several other things going along with this like the fact
> that
> without using higher order registry editing tools (not regedit) you
> can't normally dive into anybody else's HKCU hive.
This is by design; it's an important security mechanism. Alice
shouldn't be allowed to inspect or modify Bob's registry entries.
Only the Administrator should have access to everyone's registry
entries.
Please consider the implications of advocating that people bypass a
security mechanism so they can install a piece of security software.
It doesn't make much sense.
> What is being provided in the GnuPG install is only suitable for
> idiots who run as an Administrator, all the time with only one
> account on the system and that one is an Administrator account...
Please do not insult regular users by calling them idiots.
The GnuPG installer is suitable for many kinds of Windows users.
Speaking for myself, I administer a small XP network with several
users, all of whom have GnuPG available to them. Their user accounts
don't have Administrator privileges. The installer worked just fine
for us.
> One of the things that has occurred to me is to ask the question
> "can I make GnuPG say a signed message is okay whether it is or
> not?" By that I mean, can I by changing just the message strings
> of GnuPG make all signed messages show up as okay?
Sure. But if you install it as Administrator, then you need
Administrator privileges to modify the file. If a malicious attacker
has Administrator access to your Windows box, then it's a game-over
condition anyway and there's nothing GnuPG can do to fix this.
> If you don't think that if GnuPG takes off like mad on Windows
According to the Enigmail folks, their number of Windows downloads
are routinely an order of magnitude larger than their number of UNIX
downloads. This strongly suggests more people run GnuPG on Windows
than run GnuPG on UNIX.
> That is probably more of a flame against Windows users who run their
> systems in a stupid manner than a slam against Microsoft, although
> Microsoft doesn't help very much.
Again, we don't need to insult either users or corporations as being
"stupid".
> If any of you have information of running GnuPG in a Windows
> environment with some other way of doing it other than as always
> one user with an Administrator account ship it to me.
Get the zip archive, uncompress it to some directory you own, add
that directory to your own personal PATH.
> On the other hand if you want to flame me and say I am stupid,
> or that I need lessons in writing, or that all I am doing is
> spamming like a University Computer Science Professor recently
> said I was doing (I believe he was the department chair),
I'm not a professor. I'm a pre-comps Ph.D. candidate in computer
science.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJFy6YRAAoJELcA9IL+r4EJw1MH/0pbmIf7FiLrt1Q7b7g/udTF
Urg+DxdhmjujowJLg1qIcD6ntmkiItCjp2ww3zff8/We12faktxt72gyXoV+Qgw+
1gLa1EqATXrLVKxighkg/Yw0PT1yGGHnqFvbnTBT48N5sD8RRjxhu71yD5JzuQCJ
mQS8RF2xGArb0qJTCns0QGsPyD5S83+IE4rMVO6Uc16dpAJmFNdEVlKGcnd2EFU3
aiJ5Mv0tJScPyjP7aGVbCN8nx1eHgwfj8KKK/ExdjkyTaj3ZqMyi8F9zjD2oT28y
etHbI2/ifMZlFEvk9FtWwP+Vx/p08F2vMFpP0G4F4iIZnVRJBWKIjbzpyyWx3KY=
=iaCr
-----END PGP SIGNATURE-----
From sjlopezb at hackindex.com Thu Feb 8 22:21:00 2007
From: sjlopezb at hackindex.com (=?ISO-8859-15?Q?Santiago_Jos=E9_L=F3pez_Borraz=E1s?=)
Date: Thu, 08 Feb 2007 22:21:00 +0100
Subject: A question...
Message-ID: <45CB943C.5010109@foo.hackindex.es>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi:
I ask a question:
How the two lines are removed that appears above all of the signed of messages?
There is some human way to tell him al GnuPG to that show not those two
lines of BEGIN PGP MESSAGE?
TIA.
- --
Slds de Santiago Jos? L?pez Borraz?s. Admin de hackindex.com/.es
Conocimientos avanzados en seguridad inform?tica.
Conocimientos avanzados en redes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBRcuUO7uF9/q6J55WAQpemhAAopGfH/12MM15MGw8QVDt+607rSiXOLFr
7EWz+TjCLrykZRnCpejq5Bpi6Px9po4YqMyXHJUnHIGuGxlBBCKIXCuohzqlCmJY
Gq8DcY+MXAszqMmpIeLYxYkhRivCJnx7vN+S6AxAvb6wtsChZ53DJDT7fhRpSCHQ
ENEMQqN+AXue7AHA8mO285v3Ago5MccbxiQ9vR+B4y3+5kosaYJFqThlNfPV8Qws
UT/fyfgHQ8nZbQrVlXyLF0Elq32M2sTfecSnL22ZeRfTGpqH2UIZnt00Yo5HJTo4
KRSa+MjlSTTBJfinb/n2yL5aGmxjArdiY/558l+jYIt2dbxpF1t5alXADcBsysJY
ZMIcrJLx9A2OB1wr0QOf2KdaI0iKZGLXiR/hEBo6nMue857uB4TdZt0QV76EKsRY
k6vRTwofk4CZyhy78ceNf3iCoSDRrMCgQzZpvalBCT5hBGEbwEQaxD+4dsmteFv7
5wEXMcTDSWNHaNoiyGuZZuNRgvkCgsczu1KiTN1MBp8/0bBZ3zNym/bWnZdDkDpp
ojoc53ISZwoKji3cxNPuuktcJQBQ7fFrNlJr5GpY+Ssa1hzCZmc3pUIjae6pJB3H
y1Cgj4JilKVoltfrrArk0kGyY+SiqaiUt5MnISUl9lXYUD/upq3vJadyQettdP45
/G0iFEGRVys=
=LvJD
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Thu Feb 8 23:56:35 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Feb 2007 16:56:35 -0600
Subject: A question...
In-Reply-To: <45CB943C.5010109@foo.hackindex.es>
References: <45CB943C.5010109@foo.hackindex.es>
Message-ID: <7AF6DCD9-005C-457A-A1D2-DE2D304F46E9@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> There is some human way to tell him al GnuPG to that show not those
> two
> lines of BEGIN PGP MESSAGE?
Those two lines are required by OpenPGP and must be present in any
clearsigned message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJFy6qjAAoJELcA9IL+r4EJ7AgH/2gsEbgOv+mcKDk85YykKIiY
NXnn6dajCXg5/cF4MM3Fsnwu/9Ox6cSLUVDCPZKejZsCMEiNLMOrcjh2N/kGt6mw
OWL7Xoy7gOdKJI56aFDbQlTu2/xtI702tu+uabPZt8HHoE6Wd+LOhNjeCagl4mk+
lIoOl5BxMfCr658gwv3Z9fVblGL3W4DnrqDMyx/uPJP24y2HqwbY950bN6ONpX6X
mganwtJd1Jy/KRuu0628bY14Jxs1DjPQF2zBxnDtTsYx+EJSXgwusnD3N10w6pzX
r/OmGWqjDua2b727cnPLTKvnPBXxzFX7QWGucFbFjeu4DJQep5nb9ZXneP4UKHA=
=On13
-----END PGP SIGNATURE-----
From laurent.jumet at skynet.be Fri Feb 9 01:03:56 2007
From: laurent.jumet at skynet.be (Laurent Jumet)
Date: Fri, 09 Feb 2007 01:03:56 +0100
Subject: A question...
In-Reply-To: <45CB943C.5010109@foo.hackindex.es>
Message-ID:
Hello Santiago !
Santiago Jos? L?pez Borraz?s wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> How the two lines are removed that appears above all of the signed of
> messages?
> There is some human way to tell him al GnuPG to that show not those two
> lines of BEGIN PGP MESSAGE?
No, there is no human, and inclusive no God, that could remove the two first lines of a PGP message.
--
Laurent Jumet
KeyID: 0xCFAF704C
From rjh at sixdemonbag.org Fri Feb 9 07:18:19 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 9 Feb 2007 00:18:19 -0600
Subject: Random numbers
Message-ID: <4B919F51-BAC3-476B-B890-26A1578EF5F0@sixdemonbag.org>
While this may be off-topic, sometimes the community needs a good
laugh, and today's XKCD provides a good laugh about random numbers. :)
http://www.xkcd.net
From wk at gnupg.org Fri Feb 9 10:25:36 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 09 Feb 2007 10:25:36 +0100
Subject: GnuPG on MS Vista
In-Reply-To: (Robert
J. Hansen's message of "Thu\, 8 Feb 2007 16\:02\:10 -0600")
References: <45CB86F1.7000607@gmail.com>
<20070208204532.GA23127@jabberwocky.com>
<45CB9195.40304@gmail.com>
Message-ID: <87veibisxb.fsf@wheatstone.g10code.de>
On Thu, 8 Feb 2007 23:02, rjh at sixdemonbag.org said:
> That's up to the GnuPG developers, and whether they have any Vista
> boxes available to do regression testing on. They may have already
No, I don't have decent hardware to install Vista on it. I plan to do
so but it may take sometime.
A points which needs some investigation is the entropy gatherer - this
is very system specific code and we need to check whether it will
still deliver enough entropy.
Shalom-Salam,
Werner
From antonio.bleile at seac02.it Fri Feb 9 11:11:41 2007
From: antonio.bleile at seac02.it (Antonio Bleile)
Date: Fri, 9 Feb 2007 11:11:41 +0100
Subject: Newbie question
Message-ID: <45CBFFE900039C45@> (added by postmaster@aa001msb.fastweb.it)
Hi all,
I have a question concerning an "unusual" way of using gnuPG...
I don't want to encrypt emails, I just want to encrypt binary
data and deliver that over the internet. Consider the following
scenario: I have a program that gets deliverd to various clients.
The program is a viewer for 3d models. The viewer can load and
display various types of input formats (e.g. CAD models). It
can also load models directly from a URL. Now we'd like to put
some cool models on our web page but we don't want people to
disassemble the file and thus getting to the mathematic definition
of a CAD model (people giving you a CAD model of e.g. a brandnew
car are very concerned about their data!!!). So I thought to
protect the data with public/private key encryption. We encrypt
the data with a private key and put the result on our server.
Our viewer contains the public key for decryption. You might
say that it's easy to get to the data anyway, you just
have to dump the memory of the program after the data has
been decypted.... But that requires some higher "criminal energy",
and I think I can live with the risk...
- So actually, my question is: Does this approach make any sense
for you crypto-gurus out there? (Please forgive me my ignorance,
I have just a vague memory of my cryptography lessons...).
- Does libcrypt do the job?
- The CAD data may contain a fixed header, so an atacker knowing
the header might use this info to easily get the private key?
Thank you and kind regards,
Toni
From antonio.bleile at seac02.it Fri Feb 9 11:36:35 2007
From: antonio.bleile at seac02.it (Antonio Bleile)
Date: Fri, 9 Feb 2007 11:36:35 +0100
Subject: Newbie question
In-Reply-To: <45CC4D3E.907@radde.name>
Message-ID: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it)
Hi Sven,
> Hi!
>
> Private/Public key does not buy you much in this case if all
> you want is to obfuscate the file contents.
> Just use some AES implementation with the same symmetric key
> on the server and the client.
>
> Despite you seem to be aware of it, let me stress again:
> It cannot possibly be secure if the decryption key is stored
> alongside with the enrcypted data (which is why I chose the
> word "obfuscate" above).
Mh... That means I've missed something really fundamental...
When you send an encrypted mail you send the encrypted
data and the receiver at some point has both, the public
key and your encrypted mail. Else, how should he read your
mail? Am I totally wrong?
Bye,
Toni
From wk at gnupg.org Fri Feb 9 11:54:27 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 09 Feb 2007 11:54:27 +0100
Subject: Newbie question
In-Reply-To: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it)
(Antonio Bleile's message of "Fri\, 9 Feb 2007 11\:36\:35 +0100")
References: <45CBFFE900041DDE@>
Message-ID: <87veibfvoc.fsf@wheatstone.g10code.de>
On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said:
> Mh... That means I've missed something really fundamental...
> When you send an encrypted mail you send the encrypted
> data and the receiver at some point has both, the public
> key and your encrypted mail. Else, how should he read your
> mail? Am I totally wrong?
It is the way around. You use the *public* key to *en*crypt to the
recipient. The recipent uses his *private* key to *de*crypt.
Of course you could include a private key in a viewer software so that
anyone can encrypt files for use by this viewer. I think that is what
you had in mind.
Salam-Shalom,
Werner
From antonio.bleile at seac02.it Fri Feb 9 12:01:45 2007
From: antonio.bleile at seac02.it (Antonio Bleile)
Date: Fri, 9 Feb 2007 12:01:45 +0100
Subject: Newbie question
In-Reply-To: <87veibfvoc.fsf@wheatstone.g10code.de>
Message-ID: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it)
Hi,
> On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said:
>
> > Mh... That means I've missed something really fundamental...
> > When you send an encrypted mail you send the encrypted data and the
> > receiver at some point has both, the public key and your encrypted
> > mail. Else, how should he read your mail? Am I totally wrong?
>
> It is the way around. You use the *public* key to *en*crypt
> to the recipient. The recipent uses his *private* key to *de*crypt.
>
> Of course you could include a private key in a viewer
> software so that anyone can encrypt files for use by this
> viewer. I think that is what you had in mind.
Exactly. I interchanged the terms. Weird. Shouldn't public
be "public"??? Thank you for clearing this up. There are
the other two questions still open ;) :
- Does libcrypt do the job? I guess so...
- The CAD data may contain a fixed header, so an atacker knowing
the header might use this info to easily get the private key?
Thank's and Salam,
Toni
From hans.ekbrand at gmail.com Fri Feb 9 11:53:22 2007
From: hans.ekbrand at gmail.com (Hans Ekbrand)
Date: Fri, 9 Feb 2007 11:53:22 +0100
Subject: Newbie question
In-Reply-To: <45CBFFE900041DDE@>
References: <45CC4D3E.907@radde.name> <45CBFFE900041DDE@>
Message-ID: <20070209105322.GG28831@localhost.localdomain>
On Fri, Feb 09, 2007 at 11:36:35AM +0100, Antonio Bleile wrote:
> Hi Sven,
>
> > Hi!
> >
> > Private/Public key does not buy you much in this case if all
> > you want is to obfuscate the file contents.
> > Just use some AES implementation with the same symmetric key
> > on the server and the client.
> >
> > Despite you seem to be aware of it, let me stress again:
> > It cannot possibly be secure if the decryption key is stored
> > alongside with the enrcypted data (which is why I chose the
> > word "obfuscate" above).
>
> Mh... That means I've missed something really fundamental...
> When you send an encrypted mail you send the encrypted
> data and the receiver at some point has both, the public
> key and your encrypted mail.
The receiver has the *private* key. The sender encrypts with the
*public* key.
--
Hans Ekbrand (http://sociologi.cjb.net)
Q. What is that strange attachment in this mail?
A. My digital signature, see www.gnupg.org for info on how you could
use it to ensure that this mail is from me and has not been
altered on the way to you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070209/e5418791/attachment.pgp
From wk at gnupg.org Fri Feb 9 14:56:58 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 09 Feb 2007 14:56:58 +0100
Subject: Newbie question
In-Reply-To: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it)
(Antonio Bleile's message of "Fri\, 9 Feb 2007 12\:01\:45 +0100")
References: <45CC027200049718@>
Message-ID: <87ps8je8np.fsf@wheatstone.g10code.de>
On Fri, 9 Feb 2007 12:01, antonio.bleile at seac02.it said:
> - Does libcrypt do the job? I guess so...
No. Libgcrypt provides basic building blocks but has no support for
any specific protocol.
> - The CAD data may contain a fixed header, so an atacker knowing
> the header might use this info to easily get the private key?
It all depends on the protocol used. Getting the protocol right is
not easy and thus the best advise I can give is to use an established
protocol like OpenPGP or CMS (pkcs#7)
For your application I would simply use a different file suffix or a
special MIME type and pipe the data through gpg while reading.
Salam-Shalom,
Werner
From jharris at widomaker.com Sat Feb 10 00:41:51 2007
From: jharris at widomaker.com (Jason Harris)
Date: Fri, 9 Feb 2007 18:41:51 -0500
Subject: new (2007-02-04) keyanalyze results (+sigcheck)
Message-ID: <20070209234151.GA33946@wilma.widomaker.com>
New keyanalyze results are available at:
http://keyserver.kjsl.com/~jharris/ka/2007-02-04/
Signatures are now being checked using keyanalyze+sigcheck:
http://dtype.org/~aaronl/
Earlier reports are also available, for comparison:
http://keyserver.kjsl.com/~jharris/ka/
Even earlier monthly reports are at:
http://dtype.org/keyanalyze/
SHA-1 hashes and sizes for all the "permanent" files:
b3d0aacd19c088a661a19e37d74d7e1996fccb15 14459760 preprocess.keys
c946effa31b83959f501dbfe95109d38cab85a69 8480415 othersets.txt
b072ddbaceabe9eaa3a4256e7a4aaf10d0a6f6e0 3477622 msd-sorted.txt
ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html
fccd1b1cf5e7c6611e7950a2a7d741aff08f9153 2278 keyring_stats
397cd852840bb462638ca7096800399f828b7c47 1368288 msd-sorted.txt.bz2
e0ced60c9562daa3032abe7551a26a7a5afce36b 26 other.txt
e86c800743a8ab0a16952ebeb6de2e355e27d87f 1839751 othersets.txt.bz2
82ce02825d887ff48aed71efa4ba82b0a7e59957 5880850 preprocess.keys.bz2
3c86a21d7d6e444e43a15f98bc92f8bbf50e0593 14725 status.txt
d4973bf6a1f33319d91cd4e7c1f5f6c46214a81f 194595 top1000table.html
a23e213fb8c0a2a6064100d392b337127824fdf4 29780 top1000table.html.gz
dae7b4ddf0d5d71940632bffb9cdbfe9a54cd80d 9782 top50table.html
e26e21e89dc47cbe4a79f8bf775c7eb0edb24341 2529 D3/D39DA0E3
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20070209/65be30bf/attachment.pgp
From greg at reaume.name Sat Feb 10 01:09:02 2007
From: greg at reaume.name (Greg Reaume)
Date: Fri, 09 Feb 2007 19:09:02 -0500
Subject: sig-keyserver-url
Message-ID: <45CD0D1E.6020502@reaume.name>
I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on
Windows XP.
I have it specified in my gpg.conf:
sig-keyserver-url hkp://subkeys.pgp.net
...but it doesn't seem to have any effect.
I also try to specify it on the cmd line:
gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ########
...and it proceeds with signing but leaves off the keyserver URL.
I have found only one way to make it work on my own key. If I first
self-sign my key, quit, then return to edit and use the 'keyserver'
command it will work. If I try to do both things in the same edit
session it will quietly take the command but do nothing. Unfortunately
edit mode won't allow me to do this on someone else's key because I
don't have the private key.
I'm using the openpgp option (no-force-v3-sigs) and I have successfully
set the cert-policy-url in my gpg.conf and it works every time. I have
set list-options and verify-options show-keyserver-urls. verbose and
debug 1024 options yield no useful output for this issue.
I'm able to reproduce the behaviour on another Windows XP computer with
a different key.
Is this a bug? Is there anything I can do to provide more info to
better troubleshoot the issue?
TIA,
Greg Reaume
From dshaw at jabberwocky.com Sat Feb 10 04:12:45 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 9 Feb 2007 22:12:45 -0500
Subject: sig-keyserver-url
In-Reply-To: <45CD0D1E.6020502@reaume.name>
References: <45CD0D1E.6020502@reaume.name>
Message-ID: <20070210031245.GA30327@jabberwocky.com>
On Fri, Feb 09, 2007 at 07:09:02PM -0500, Greg Reaume wrote:
> I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on
> Windows XP.
>
> I have it specified in my gpg.conf:
> sig-keyserver-url hkp://subkeys.pgp.net
> ...but it doesn't seem to have any effect.
>
> I also try to specify it on the cmd line:
> gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ########
> ...and it proceeds with signing but leaves off the keyserver URL.
>
> I have found only one way to make it work on my own key. If I first
> self-sign my key, quit, then return to edit and use the 'keyserver'
> command it will work. If I try to do both things in the same edit
> session it will quietly take the command but do nothing. Unfortunately
> edit mode won't allow me to do this on someone else's key because I
> don't have the private key.
>
> I'm using the openpgp option (no-force-v3-sigs) and I have successfully
> set the cert-policy-url in my gpg.conf and it works every time. I have
> set list-options and verify-options show-keyserver-urls. verbose and
> debug 1024 options yield no useful output for this issue.
I think there is some confusion here. sig-keyserver-url applies to
signatures. That is, signatures on data (--sign-file or the other
signature making commands). It has no effect on signing keys
(--sign-key).
What are you trying to accomplish?
David
From rocket at heddway.com Sat Feb 10 22:13:42 2007
From: rocket at heddway.com (jason heddings)
Date: Sat, 10 Feb 2007 14:13:42 -0700
Subject: Sending Public Key
Message-ID: <001101c74d58$57e1b8e0$6700a8c0@enterprise>
I'm making use of libgcrypt for a specific encryption application. I'm
assuming that the following is secure:
- Use libgcrypt to create a keypair
- Save the S-exp to an internal, protected keystore
- Base64 encode the public-key portion of the S-exp
- Broadcast the base64-encoded key to associated clients
- Use the broadcasted public-key to encrypt data
- Send encrypted data back to a server containing the keystore
- Only server can decrypt encrypted data using private keys
Can someone please correct me if I am wrong? Is there a problem with this
approach, or perhaps a better one?
--jah
From MichaelParker at gmx.de Sun Feb 11 15:44:37 2007
From: MichaelParker at gmx.de (Michael Parker)
Date: Sun, 11 Feb 2007 15:44:37 +0100
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
Message-ID: <200702111544.37742.MichaelParker@gmx.de>
Hi,
I tried to setup an external smartcard reader with a pinpad and on gentoo I
don't get it to work.
On an ubuntu-installation the pin isn't enterd by the external pinpad but by
the regualar keyboard and that works fine.
On gentoo I'm asked to enter the pin on the pinpad of the reader. After
entering it doesn't find the secret key.
Some details of my system:
It's a
Code:
Bus 002 Device 002: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad
SmartCard Reader
gpg-agent.conf
Code:
pinentry-program /usr/bin/pinentry-qt
no-grab
default-cache-ttl 1800
gpg.conf
Code:
grep -v ^# gpg.conf | grep -v ^$
require-cross-certification
keyserver hkp://subkeys.pgp.net
hidden-encrypt-to 0219F045
hidden-encrypt-to 18BA2C46
default-recipient 0219F045
default-recipient 18BA2C46
use-agent
reader access works
gpg --card-status
Code:
Application ID ...: D276000124010101000100000AA60000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
...
I tried those variations of useflags settings
Code:
emerge -tpv gnupg
Calculating dependencies... done!
[ebuild R ] app-crypt/gnupg-2.0.2 USE="X nls
smartcard -bzip2 -doc -ldap -openct -pcsc-lite (-selinux)" 0 kB
emerge -tpv gnupg
These are the packages that would be merged, in reverse order:
Calculating dependencies... done!
[ebuild R ] app-crypt/gnupg-2.0.2 USE="X nls pcsc-lite
smartcard -bzip2 -doc -ldap -openct (-selinux)" 0 kB
gpg-agent is running
Code:
ps ax | grep agent
23837 ? Ss 0:00 gpg-agent --daemon
installed software
Code:
app-crypt/gnupg
Latest version available: 2.0.2
Latest version installed: 2.0.2
Size of files: 3,876 kB
Homepage: http://www.gnupg.org/
Description: The GNU Privacy Guard, a GPL pgp replacement
License: GPL-2
app-crypt/pinentry
Latest version available: 0.7.2-r2
Latest version installed: 0.7.2-r2
Size of files: 389 kB
Homepage: http://www.gnupg.org/aegypten/
Description: Collection of simple PIN or passphrase entry dialogs
which utilize the Assuan protocol
License: GPL-2
sys-apps/pcsc-lite
Latest version available: 1.3.1-r1
Latest version installed: 1.3.1-r1
Size of files: 822 kB
Homepage: http://www.linuxnet.com/middle.html
Description: PC/SC Architecture smartcard middleware library
License: as-is
sys-libs/libchipcard
Latest version available: 2.1.8
Latest version installed: 2.1.8
Size of files: 974 kB
Homepage: http://www.libchipcard.de
Description: Libchipcard is a library for easy access to chip cards
via chip card readers (terminals).
License: GPL-2
* dev-libs/opensc
Latest version available: 0.10.1
Latest version installed: 0.10.1
Size of files: 1,275 kB
Homepage: http://www.opensc.org/
Description: SmartCard library and applications
License: LGPL-2
* dev-libs/openct
Latest version available: 0.6.6
Latest version installed: 0.6.6
Size of files: 550 kB
Homepage: http://opensc.org/
Description: library for accessing smart card terminals
License: BSD
Does the external pinpad in between work at all under linux ?
If ubuntu is configured that way, so pins are still enterd by the regular
keybord, how do I configure it the same with gentoo ?
Do I have to change my software/configuration ?
Any hints will be appreciated
From alon.barlev at gmail.com Sun Feb 11 17:42:53 2007
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Sun, 11 Feb 2007 18:42:53 +0200
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <200702111544.37742.MichaelParker@gmx.de>
References: <200702111544.37742.MichaelParker@gmx.de>
Message-ID: <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com>
On 2/11/07, Michael Parker wrote:
> Hi,
>
> I tried to setup an external smartcard reader with a pinpad and on gentoo I
> don't get it to work.
> On an ubuntu-installation the pin isn't enterd by the external pinpad but by
> the regualar keyboard and that works fine.
> On gentoo I'm asked to enter the pin on the pinpad of the reader. After
> entering it doesn't find the secret key.
If you use opensc enabled card, is the PKCS#11 provider works with the
external PIN pad?
You can test it using firefox or pkcs11-tool.
If yes, you can use the gnupg-pkcs11-scd.
Best Regards,
Alon Bar-Lev.
From MichaelParker at gmx.de Sun Feb 11 18:18:03 2007
From: MichaelParker at gmx.de (Michael Parker)
Date: Sun, 11 Feb 2007 18:18:03 +0100
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com>
References: <200702111544.37742.MichaelParker@gmx.de>
<9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com>
Message-ID: <200702111818.03917.MichaelParker@gmx.de>
On Sunday 11 February 2007 17:42, Alon Bar-Lev wrote:
>
> If you use opensc enabled card, is the PKCS#11 provider works with the
> external PIN pad?
> You can test it using firefox or pkcs11-tool.
>
> If yes, you can use the gnupg-pkcs11-scd.
>
Hi Alon,
thanks for the hint !
I don't know if I get it.
For example:
when I try
pkcs11-tool -L
I get:
winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared
file: /var/run/pcscd.pub
Available slots:
Slot 0 (empty)
Slot 1 (empty)
Slot 2 (empty)
Slot 3 (empty)
Slot 4 (empty)
Slot 5 (empty)
Slot 6 (empty)
Slot 7 (empty)
which doesn't mean a think to me.
I don't think that this is the reason for my problem. A year ago it already
worked with the exception that there was not popup asking me to enter the pin
by the cardreader.
As I mentioned the ubuntu-distribution behaves different.
Kind regards,
Michael
From benjamin at py-soft.co.uk Sun Feb 11 18:44:59 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sun, 11 Feb 2007 17:44:59 +0000
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <45C0D588.70106@py-soft.co.uk>
References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk>
<45C0D588.70106@py-soft.co.uk>
Message-ID: <45CF561B.90305@py-soft.co.uk>
Benjamin Donnachie wrote:
> Actually, I wonder whether creating bundle information for gpg-agent
> would be the solution... I'll give it a go soon and will let you know
> the outcome.
Ah no, that didn't work. But invoking gpg-agent with the option
--pinentry-program "/bin/sh -c
/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" did.
I'll modify my start gpg-agent script and release a new version soon.
It's not a particularly great solution, but makes gnupg 2.0.2 usable
under MacOS. I haven't had chance to look into the MacOS function
NSTask yet but if it does what we want correctly, I'll then look into a
MacOS specific version of the assuan library.
Take care,
Ben
From alex at bofh.net.pl Sun Feb 11 18:58:40 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Sun, 11 Feb 2007 18:58:40 +0100
Subject: Sending Public Key
In-Reply-To: <001101c74d58$57e1b8e0$6700a8c0@enterprise>
References: <001101c74d58$57e1b8e0$6700a8c0@enterprise>
Message-ID: <20070211175840.GL11476@hell.pl>
On Sat, Feb 10, 2007 at 02:13:42PM -0700, jason heddings wrote:
> I'm making use of libgcrypt for a specific encryption application. I'm
> assuming that the following is secure:
>
> - Use libgcrypt to create a keypair
> - Save the S-exp to an internal, protected keystore
> - Base64 encode the public-key portion of the S-exp
> - Broadcast the base64-encoded key to associated clients
> - Use the broadcasted public-key to encrypt data
> - Send encrypted data back to a server containing the keystore
> - Only server can decrypt encrypted data using private keys
>
> Can someone please correct me if I am wrong? Is there a problem with this
> approach, or perhaps a better one?
Without a detailed specification of the protocol it is almost impossible,
but for starters, do not encrypt actual non-random data with a pubkey.
It is always bad idea to roll your own crypto protocol, use SSL/TLS or
OpenPGP or CMS, or XML cryptography if possible.
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From alon.barlev at gmail.com Sun Feb 11 19:34:20 2007
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Sun, 11 Feb 2007 20:34:20 +0200
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <200702111818.03917.MichaelParker@gmx.de>
References: <200702111544.37742.MichaelParker@gmx.de>
<9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com>
<200702111818.03917.MichaelParker@gmx.de>
Message-ID: <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com>
On 2/11/07, Michael Parker wrote:
> For example:
> when I try
> pkcs11-tool -L
>
> I get:
>
> winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared
> file: /var/run/pcscd.pub
> Available slots:
> Slot 0 (empty)
> Slot 1 (empty)
> Slot 2 (empty)
> Slot 3 (empty)
> Slot 4 (empty)
> Slot 5 (empty)
> Slot 6 (empty)
> Slot 7 (empty)
Strange... It seems like the pcscd is not up...
Can you check it out?
> I don't think that this is the reason for my problem. A year ago it already
> worked with the exception that there was not popup asking me to enter the pin
> by the cardreader.
So you will be able to reach at least the same state... :)
> As I mentioned the ubuntu-distribution behaves different.
But you said ubuntu does not use the external PIN PAD...
Regards,
Alon Bar-Lev.
From MichaelParker at gmx.de Sun Feb 11 20:08:24 2007
From: MichaelParker at gmx.de (Michael Parker)
Date: Sun, 11 Feb 2007 20:08:24 +0100
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com>
References: <200702111544.37742.MichaelParker@gmx.de>
<200702111818.03917.MichaelParker@gmx.de>
<9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com>
Message-ID: <200702112008.25358.MichaelParker@gmx.de>
On Sunday 11 February 2007 19:34, Alon Bar-Lev wrote:
> Strange... It seems like the pcscd is not up...
> Can you check it out?
ok, I did a
/etc/init.d/pcscd start
* Starting pcscd ...
I get in /var/log/messages
Feb 11 20:03:36 zaphod su(pam_unix)[3950]: session opened for user root by
(uid=500)
Feb 11 20:06:18 zaphod pcscd: configfile.l:106:evaluatetoken() Error with
device GEN_SMART_RDR: No such file or directory
Feb 11 20:06:18 zaphod pcscd: configfile.l:107:evaluatetoken() You should
use 'DEVICENAME /dev/null' if your driver does not use this field
Feb 11 20:06:18 zaphod pcscd: configfile.l:127:evaluatetoken() Error with
library /usr/lib/readers/usb/libgen_ifd.so: No such file or directory
Feb 11 20:06:18 zaphod pcscd: pcscdaemon.c:489:at_exit() cleaning /var/run
Feb 11 20:06:18 zaphod pcscd: pcscdaemon.c:508:clean_temp_files() Cannot
unlink /var/run/pcscd.comm: No such file or directory
> But you said ubuntu does not use the external PIN PAD...
That would be fine with me, because the pinpad wasn't supported in the past at
all.
Kind regards,
Michael
From alon.barlev at gmail.com Sun Feb 11 20:13:31 2007
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Sun, 11 Feb 2007 21:13:31 +0200
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <200702112008.25358.MichaelParker@gmx.de>
References: <200702111544.37742.MichaelParker@gmx.de>
<200702111818.03917.MichaelParker@gmx.de>
<9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com>
<200702112008.25358.MichaelParker@gmx.de>
Message-ID: <9e0cf0bf0702111113m7d3ddf9bs4ca4108f4c00f3d1@mail.gmail.com>
On 2/11/07, Michael Parker wrote:
> > But you said ubuntu does not use the external PIN PAD...
> That would be fine with me, because the pinpad wasn't supported in the past at
> all.
Oh... I thought you wish to use the external PIN PAD...
You can work with MUSCLE mailing list in order to make pcscd work...
Sorry I cannot help you further...
Regards,
Alon Bar-Lev.
From benjamin at py-soft.co.uk Sun Feb 11 20:31:19 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sun, 11 Feb 2007 19:31:19 +0000
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <45CF561B.90305@py-soft.co.uk>
References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk>
<45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk>
Message-ID: <45CF6F07.9040809@py-soft.co.uk>
Benjamin Donnachie wrote:
> Ah no, that didn't work. But invoking gpg-agent with the option
> --pinentry-program "/bin/sh -c
> /Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" did.
How embarrassing... my mistake - I was still using the old patched version!
Ooops... :-/
Ben
From hawke at hawkesnest.net Sun Feb 11 21:14:55 2007
From: hawke at hawkesnest.net (Alex L. Mauer)
Date: Sun, 11 Feb 2007 14:14:55 -0600
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de>
References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de>
Message-ID:
Michael Parker wrote:
> Hi,
>
> I tried to setup an external smartcard reader with a pinpad and on gentoo I
> don't get it to work.
> On an ubuntu-installation the pin isn't enterd by the external pinpad but by
> the regualar keyboard and that works fine.
> On gentoo I'm asked to enter the pin on the pinpad of the reader. After
> entering it doesn't find the secret key.
>
For what it's worth, the external pinpad did start to work for me on
Ubuntu for awhile. But then I changed something and it stopped (it may
have been enabling ssh support in the scdaemon -- I changed a few things
and didn't keep track of exactly what it was). So the external pinpad
is very very close to working in Ubuntu.
-Alex Mauer "hawke"
--
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070211/2e942ad9/attachment.pgp
From johanw at vulcan.xs4all.nl Mon Feb 12 01:12:59 2007
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Mon, 12 Feb 2007 01:12:59 +0100 (MET)
Subject: New command line language parameter
In-Reply-To: <45CB8A09.7090004@securemecca.net>
Message-ID: <200702120012.l1C0Cxl5005366@vulcan.xs4all.nl>
Henry Hertz Hobbit wrote:
>running GnuPG on Windows! To lead it all off, if you are running as
>an Administrator user all the time on Windows you are doing the
>equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The
>present Windows GnuPG 1.4.X installs assume people do this.
On Unix systems, you also often have to be root to install software.
Especially for GnuPG on Linux to set the s-bit to allow it to claim
secure memory. To run it as user is no problem though, both on Linux
of Windows.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From greg at reaume.name Mon Feb 12 04:14:51 2007
From: greg at reaume.name (Greg Reaume)
Date: Sun, 11 Feb 2007 22:14:51 -0500
Subject: sig-keyserver-url
Message-ID: <45CFDBAB.6000201@reaume.name>
On Fri, 9 Feb 2007 at 22:12:45 -0500, David Shaw wrote:
>
> I think there is some confusion here. sig-keyserver-url applies to
> signatures. That is, signatures on data (--sign-file or the other
> signature making commands). It has no effect on signing keys
> (--sign-key).
>
> What are you trying to accomplish?
>
> David
You're right, I'm using the wrong option then.
I want to attach the preferred keyserver URL to a key certification.
I've been able to do it on my self-cert using the edit command
'keyserver', but how do I do it on someone else's key?
Is there another option I can put in my .conf file?
TIA,
Greg Reaume
From dshaw at jabberwocky.com Mon Feb 12 06:56:42 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 12 Feb 2007 00:56:42 -0500
Subject: sig-keyserver-url
In-Reply-To: <45CFDBAB.6000201@reaume.name>
References: <45CFDBAB.6000201@reaume.name>
Message-ID: <20070212055642.GB3208@jabberwocky.com>
On Sun, Feb 11, 2007 at 10:14:51PM -0500, Greg Reaume wrote:
> On Fri, 9 Feb 2007 at 22:12:45 -0500, David Shaw wrote:
> >
> > I think there is some confusion here. sig-keyserver-url applies to
> > signatures. That is, signatures on data (--sign-file or the other
> > signature making commands). It has no effect on signing keys
> > (--sign-key).
> >
> > What are you trying to accomplish?
> >
> > David
>
> You're right, I'm using the wrong option then.
>
> I want to attach the preferred keyserver URL to a key certification.
> I've been able to do it on my self-cert using the edit command
> 'keyserver', but how do I do it on someone else's key?
Given the current GPG, you can't. There is no ability to do that.
You can only put a preferred keyserver URL on your own key (in a
self-signature), or in a data signature.
David
From wk at gnupg.org Mon Feb 12 12:23:10 2007
From: wk at gnupg.org (Werner Koch)
Date: Mon, 12 Feb 2007 12:23:10 +0100
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <200702111544.37742.MichaelParker@gmx.de> (Michael Parker's
message of "Sun\, 11 Feb 2007 15\:44\:37 +0100")
References: <200702111544.37742.MichaelParker@gmx.de>
Message-ID: <87d54faach.fsf@wheatstone.g10code.de>
On Sun, 11 Feb 2007 15:44, MichaelParker at gmx.de said:
> I tried to setup an external smartcard reader with a pinpad and on gentoo I
> don't get it to work.
> On an ubuntu-installation the pin isn't enterd by the external pinpad but by
> the regualar keyboard and that works fine.
> On gentoo I'm asked to enter the pin on the pinpad of the reader. After
> entering it doesn't find the secret key.
You need to make sure to use the interal CCID driver and not pcscd.
This requires proper setting of the permissions as explained int the
smart card how to and that you don't run pcscd!
To test this you should enter
debug-ccid-driver
debug 2048
log-file /somewhere/scdaemon.log
into scdaemon.conf and kill a running scdaemon process. Instead of
the log file you may also use watchgnupg as explained in the manual.
There is no support for PIN pads when using pcscd.
Shalom-Salam,
Werner
From wk at gnupg.org Mon Feb 12 12:27:02 2007
From: wk at gnupg.org (Werner Koch)
Date: Mon, 12 Feb 2007 12:27:02 +0100
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: (Alex L. Mauer's message of "Sun\, 11
Feb 2007 14\:14\:55 -0600")
References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de>
Message-ID: <878xf3aa61.fsf@wheatstone.g10code.de>
On Sun, 11 Feb 2007 21:14, hawke at hawkesnest.net said:
> For what it's worth, the external pinpad did start to work for me on
> Ubuntu for awhile. But then I changed something and it stopped (it may
> have been enabling ssh support in the scdaemon -- I changed a few things
> and didn't keep track of exactly what it was). So the external pinpad
> is very very close to working in Ubuntu.
I am pretty sure that this is a problem of the distribution. The most
common problem is that pcscd has been started and thus gained
exclusive access to the reader.
BTW, I am using a Kobil Advanced reader all the day for ssh access as
well as for signing files. The SPR532 does also work but the keyboard
of the KAAN has better keys.
Salam-Shalom,
Werner
From rocket at heddway.com Mon Feb 12 15:15:44 2007
From: rocket at heddway.com (jason heddings)
Date: Mon, 12 Feb 2007 07:15:44 -0700
Subject: Sending Public Key
In-Reply-To: <20070211175840.GL11476@hell.pl>
References: <001101c74d58$57e1b8e0$6700a8c0@enterprise>
<20070211175840.GL11476@hell.pl>
Message-ID: <000401c74eb0$497e19c0$6700a8c0@enterprise>
Thanks for the reply...
I think I'm missing something, then... Does that mean the operations
provided by libgcrypt are not secure to use by themselves?
--jah
-----Original Message-----
From: Janusz A. Urbanowicz [mailto:alex at hell.pl] On Behalf Of Janusz A.
Urbanowicz
Sent: Sunday, 11 February, 2007 10:59
To: jason heddings
Cc: gnupg-users at gnupg.org
Subject: Re: Sending Public Key
On Sat, Feb 10, 2007 at 02:13:42PM -0700, jason heddings wrote:
> I'm making use of libgcrypt for a specific encryption application. I'm
> assuming that the following is secure:
>
> - Use libgcrypt to create a keypair
> - Save the S-exp to an internal, protected keystore
> - Base64 encode the public-key portion of the S-exp
> - Broadcast the base64-encoded key to associated clients
> - Use the broadcasted public-key to encrypt data
> - Send encrypted data back to a server containing the keystore
> - Only server can decrypt encrypted data using private keys
>
> Can someone please correct me if I am wrong? Is there a problem with this
> approach, or perhaps a better one?
Without a detailed specification of the protocol it is almost impossible,
but for starters, do not encrypt actual non-random data with a pubkey.
It is always bad idea to roll your own crypto protocol, use SSL/TLS or
OpenPGP or CMS, or XML cryptography if possible.
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i
zegarmistrze
-- Czerski
From hawke at hawkesnest.net Mon Feb 12 16:13:32 2007
From: hawke at hawkesnest.net (Alex L. Mauer)
Date: Mon, 12 Feb 2007 09:13:32 -0600
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <878xf3aa61.fsf__1767.28663868762$1171284374$gmane$org@wheatstone.g10code.de>
References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de>
<878xf3aa61.fsf__1767.28663868762$1171284374$gmane$org@wheatstone.g10code.de>
Message-ID:
Werner Koch wrote:
> I am pretty sure that this is a problem of the distribution. The most
> common problem is that pcscd has been started and thus gained
> exclusive access to the reader.
I'd agree, except that mine is now prompting, and accepting input from
the keyboard, for the PIN. That's a symptom of the problem you describe
above, correct?
The previous pinpad problem I had was that it would prompt to use the
pinpad but then would fail after entering the PIN. That's a separate
problem, correct?
-Alex Mauer "hawke"
--
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070212/aa33dd25/attachment.pgp
From wk at gnupg.org Mon Feb 12 16:22:20 2007
From: wk at gnupg.org (Werner Koch)
Date: Mon, 12 Feb 2007 16:22:20 +0100
Subject: Sending Public Key
In-Reply-To: <000401c74eb0$497e19c0$6700a8c0@enterprise> (jason heddings's
message of "Mon\, 12 Feb 2007 07\:15\:44 -0700")
References: <001101c74d58$57e1b8e0$6700a8c0@enterprise>
<20070211175840.GL11476@hell.pl>
<000401c74eb0$497e19c0$6700a8c0@enterprise>
Message-ID: <873b5b5rkj.fsf@wheatstone.g10code.de>
On Mon, 12 Feb 2007 15:15, rocket at heddway.com said:
> I think I'm missing something, then... Does that mean the operations
> provided by libgcrypt are not secure to use by themselves?
It is with all tools. It needs to be used properly. A chainsaw is a
very powerful tool but not used properly you will do worse than
without.
Salam-Shalom,
Werner
From hawke at hawkesnest.net Mon Feb 12 18:18:31 2007
From: hawke at hawkesnest.net (Alex Mauer)
Date: Mon, 12 Feb 2007 11:18:31 -0600
Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
In-Reply-To: <87d54faach.fsf__14086.0900086865$1171287201$gmane$org@wheatstone.g10code.de>
References: <200702111544.37742.MichaelParker@gmx.de>
<87d54faach.fsf__14086.0900086865$1171287201$gmane$org@wheatstone.g10code.de>
Message-ID:
Werner Koch wrote:
>
> There is no support for PIN pads when using pcscd.
Is this a limitation of pcscd or of GnuPG?
It sounds like pcscd supports the pinpad as of 1.2.9. [1]
If it's a limitation of GnuPG, are there any plans to support it in future?
[1] http://lists.apple.com/archives/Apple-cdsa/2006/Jan/msg00107.html
-Alex Mauer "hawke"
From rocket at heddway.com Mon Feb 12 20:53:38 2007
From: rocket at heddway.com (jason heddings)
Date: Mon, 12 Feb 2007 12:53:38 -0700
Subject: Sending Public Key
In-Reply-To: <873b5b5rkj.fsf@wheatstone.g10code.de>
References: <001101c74d58$57e1b8e0$6700a8c0@enterprise><20070211175840.GL11476@hell.pl><000401c74eb0$497e19c0$6700a8c0@enterprise>
<873b5b5rkj.fsf@wheatstone.g10code.de>
Message-ID: <001c01c74edf$7dd98770$6700a8c0@enterprise>
Thanks for the reply (and keeping me from making a big mistake)...
So, for doing basic data encryption / transmission, what's the right way to
go? We just need to do public key encryption, send the data (via email or
postal), decrypt on a backend.
Thanks for all the help here... Obviously I'm trying to forge new ground
for our company.
--jah
-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org]
Sent: Monday, 12 February, 2007 08:22
To: jason heddings
Cc: 'Janusz A. Urbanowicz'; gnupg-users at gnupg.org
Subject: Re: Sending Public Key
On Mon, 12 Feb 2007 15:15, rocket at heddway.com said:
> I think I'm missing something, then... Does that mean the operations
> provided by libgcrypt are not secure to use by themselves?
It is with all tools. It needs to be used properly. A chainsaw is a
very powerful tool but not used properly you will do worse than
without.
Salam-Shalom,
Werner
From bdc at topenergy.co.nz Mon Feb 12 20:06:11 2007
From: bdc at topenergy.co.nz (Bruce Cowin)
Date: Tue, 13 Feb 2007 08:06:11 +1300
Subject: public keys newbie question
Message-ID:
As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct?
Thanks.
Regards,
Bruce
From johanw at vulcan.xs4all.nl Mon Feb 12 02:25:31 2007
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Mon, 12 Feb 2007 02:25:31 +0100 (MET)
Subject: GnuPG on MS Vista
In-Reply-To: <87veibisxb.fsf@wheatstone.g10code.de>
Message-ID: <200702120125.l1C1PVpn006334@vulcan.xs4all.nl>
Werner Koch wrote:
>No, I don't have decent hardware to install Vista on it.
Switching off the baby-face interface reduces hardware requirements a lot.
That also helps with XP.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From linux at thorstenhau.de Mon Feb 12 23:01:13 2007
From: linux at thorstenhau.de (Thorsten Haude)
Date: Mon, 12 Feb 2007 23:01:13 +0100
Subject: public keys newbie question
In-Reply-To:
References:
Message-ID: <20070212220113.GH1886@eumel.yoo.local>
Hi,
* Bruce Cowin wrote (2007-02-13 08:06):
>As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct?
Yup.
They will also need your public key to verify stuff you signed.
Thorsten
--
Every person shall have the right freely to inform himself
without hindrance from generally accessible sources.
- German Grundgesetz, Article 5, Sec. 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070212/e01c73c6/attachment.pgp
From johanw at vulcan.xs4all.nl Tue Feb 13 00:05:35 2007
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Tue, 13 Feb 2007 00:05:35 +0100 (MET)
Subject: GnuPG on MS Vista
In-Reply-To: <45D0E788.30370.AC62479@gnupg.myrealbox.com>
Message-ID: <200702122305.l1CN5Zmi005003@vulcan.xs4all.nl>
Dennis wrote:
>> Switching off the baby-face interface reduces hardware requirements a
lot.
>> That also helps with XP.
>What is the baby-face interface?
Also called "Aero" with Vista. Switch back to "classic" and the system
requirements drop significantly without reducing the functionality.
--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
From jajom at hawaiiantel.net Mon Feb 12 23:41:29 2007
From: jajom at hawaiiantel.net (Jim McQueeney)
Date: Mon, 12 Feb 2007 12:41:29 -1000
Subject: public keys newbie question
In-Reply-To:
References:
Message-ID: <45D0ED19.1050107@hawaiiantel.net>
Bruce Cowin wrote:
> As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct?
>
> Thanks.
>
>
>
> Regards,
>
> Bruce
>
>
Not quite; If you sign your messages, the recipient will need your public key
to verify the signature...
--
* Jim McQueeney **
***** Jim McQueeney *****
******* OpenPGP ** DH: 0x22768E06 ********
********* Keys *** DH: 0x41B6F689 ********
From alex at bofh.net.pl Tue Feb 13 14:14:53 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Tue, 13 Feb 2007 14:14:53 +0100
Subject: Sending Public Key
In-Reply-To: <001c01c74edf$7dd98770$6700a8c0@enterprise>
References: <873b5b5rkj.fsf@wheatstone.g10code.de>
<001c01c74edf$7dd98770$6700a8c0@enterprise>
Message-ID: <20070213131453.GQ11476@hell.pl>
On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote:
> Thanks for the reply (and keeping me from making a big mistake)...
>
> So, for doing basic data encryption / transmission, what's the right way to
> go? We just need to do public key encryption, send the data (via email or
> postal), decrypt on a backend.
>
> Thanks for all the help here... Obviously I'm trying to forge new ground
> for our company.
It sounds like OpenPGP is exactly what you need. All senders get your
key, encrypt the data, send it to you you decrypt it. It can be easily
automated with scripts around GPG or (in compiled languages) using
GPGME. Since you don't mention need of any kinky stuff in the area of
key management, it seems trivial.
And if you need moral support, I can attest that I've seen GPG used to
do similar stuff in the banking industry.
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From nobody at dizum.com Thu Feb 8 15:30:04 2007
From: nobody at dizum.com (Nomen Nescio)
Date: Thu, 8 Feb 2007 15:30:04 +0100 (CET)
Subject: storing password lists in mails to myself on IMAP?
Message-ID: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
I use thunderbird on my laptop and desktop with an IMAP server, and
I've been mailing myself encrypted mails with website passwords so I
have access to them on both computers.
This is just as secure as encrypting a file and copying it onto both
computers without using e-mail as a medium, right?
Or am I doing something stupid?
thanks
From dshaw at jabberwocky.com Tue Feb 13 17:43:11 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 13 Feb 2007 11:43:11 -0500
Subject: Sending Public Key
In-Reply-To: <001c01c74edf$7dd98770$6700a8c0@enterprise>
References: <873b5b5rkj.fsf@wheatstone.g10code.de>
<001c01c74edf$7dd98770$6700a8c0@enterprise>
Message-ID: <20070213164310.GB2051@jabberwocky.com>
On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote:
> Thanks for the reply (and keeping me from making a big mistake)...
>
> So, for doing basic data encryption / transmission, what's the right way to
> go? We just need to do public key encryption, send the data (via email or
> postal), decrypt on a backend.
It sounds like straight OpenPGP will do the job for you. It is a
well-understood and widely supported protocol for public key
encryption. GnuPG can do what you need right out of the box, and can
handle both email and postal easily.
David
From benjamin at py-soft.co.uk Tue Feb 13 20:03:24 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Tue, 13 Feb 2007 19:03:24 +0000
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <45CF6F07.9040809@py-soft.co.uk>
References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk>
<45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk>
<45CF6F07.9040809@py-soft.co.uk>
Message-ID: <45D20B7C.8030909@py-soft.co.uk>
Benjamin Donnachie wrote:
> How embarrassing... my mistake - I was still using the old patched version!
Ah-ha! That's better! As a quick test I threw together the following
helper application:
/*
** Mac OS fails to process bundle information correctly
** for pinentry-mac.
**
** This quick hack attempts to address that.
**
*/
#include
int main()
{
return system
("/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac");
}
Compile this using "gcc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch
i386 -arch ppc pinentry-helper.c -o pinentry-helper" (Or download from
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-helper) and
copy it to "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper".
Then add the following to ~/.gnupg/gpg-agent.conf:
pinentry-program
"/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
Unpatched gpg-agent (admittedly v1.9.21) correctly invokes pinentry-mac,
reading the GUI bundle information correctly.
It needs more work to achieve a tidy solution - especially since the
location of pinentry-mac is fixed and it fails to pass any command line
arguments. Plus I might still use NSTask instead.
Ben
From dshaw at jabberwocky.com Tue Feb 13 19:45:55 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 13 Feb 2007 13:45:55 -0500
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
Message-ID: <20070213184555.GD2051@jabberwocky.com>
On Thu, Feb 08, 2007 at 03:30:04PM +0100, Nomen Nescio wrote:
> I use thunderbird on my laptop and desktop with an IMAP server, and
> I've been mailing myself encrypted mails with website passwords so I
> have access to them on both computers.
>
> This is just as secure as encrypting a file and copying it onto both
> computers without using e-mail as a medium, right?
Yes. If the data is securely encrypted, mail is just as good as any
other over-the-network method for moving the file from machine to
machine.
David
From jrhendri at maine.rr.com Tue Feb 13 19:20:25 2007
From: jrhendri at maine.rr.com (Jim Hendrick)
Date: Tue, 13 Feb 2007 13:20:25 -0500
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
Message-ID: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01>
What you are doing works. But take a look at password safe (Bruce Schneier &
Counterpane labs). Also Password Gorilla (compatible w/ password safe)
If you are truly paranoid, you could encrypt and email the safe back and
forth w/ gpg, or carry it on a USB stick.
> -----Original Message-----
> From: gnupg-users-bounces at gnupg.org
> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nomen Nescio
> Sent: Thursday, February 08, 2007 9:30 AM
> To: gnupg-users at gnupg.org
> Subject: storing password lists in mails to myself on IMAP?
>
>
> I use thunderbird on my laptop and desktop with an IMAP
> server, and I've been mailing myself encrypted mails with
> website passwords so I have access to them on both computers.
>
> This is just as secure as encrypting a file and copying it
> onto both computers without using e-mail as a medium, right?
>
> Or am I doing something stupid?
>
> thanks
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-> users
>
From randy at randyburns.us Tue Feb 13 20:53:26 2007
From: randy at randyburns.us (Randy Burns)
Date: Tue, 13 Feb 2007 11:53:26 -0800 (PST)
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
Message-ID: <163077.18506.qm@web50915.mail.yahoo.com>
--- Nomen Nescio wrote:
> I use thunderbird on my laptop and desktop with an IMAP server, and
> I've been mailing myself encrypted mails with website passwords so I
> have access to them on both computers.
>
> This is just as secure as encrypting a file and copying it onto both
> computers without using e-mail as a medium, right?
>
> Or am I doing something stupid?
>
> thanks
>
As far as I know, once it's encrypted, you can publish it on a webpage, or
put it on a billboard by the highway if you want. Without the secret key,
and the passphrase, the message might as well be buried two miles under a
pyramid by the Nile. It may not always be that way, but it is now.
Randy
From jbruni at mac.com Tue Feb 13 22:33:57 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Tue, 13 Feb 2007 14:33:57 -0700
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01>
References: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01>
Message-ID: <63C35C58-035B-484C-A9F8-91088AC66689@mac.com>
If you happen to be using Mac OS X, you can store encrypted bits of
information in the Keychain. And if you have a .mac account, your
keychain data can be automatically synchronized across systems.
-Joe
On Feb 13, 2007, at 11:20 AM, Jim Hendrick wrote:
> What you are doing works. But take a look at password safe (Bruce
> Schneier &
> Counterpane labs). Also Password Gorilla (compatible w/ password safe)
>
> If you are truly paranoid, you could encrypt and email the safe
> back and
> forth w/ gpg, or carry it on a USB stick.
>
>
>
>> -----Original Message-----
>> From: gnupg-users-bounces at gnupg.org
>> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nomen Nescio
>> Sent: Thursday, February 08, 2007 9:30 AM
>> To: gnupg-users at gnupg.org
>> Subject: storing password lists in mails to myself on IMAP?
>>
>>
>> I use thunderbird on my laptop and desktop with an IMAP
>> server, and I've been mailing myself encrypted mails with
>> website passwords so I have access to them on both computers.
>>
>> This is just as secure as encrypting a file and copying it
>> onto both computers without using e-mail as a medium, right?
>>
>> Or am I doing something stupid?
>>
>> thanks
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-> users
>>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From rocket at heddway.com Wed Feb 14 03:45:09 2007
From: rocket at heddway.com (jason heddings)
Date: Tue, 13 Feb 2007 19:45:09 -0700
Subject: Sending Public Key
In-Reply-To: <20070213164310.GB2051@jabberwocky.com>
References: <873b5b5rkj.fsf@wheatstone.g10code.de><001c01c74edf$7dd98770$6700a8c0@enterprise>
<20070213164310.GB2051@jabberwocky.com>
Message-ID: <000001c74fe2$2558faa0$6700a8c0@enterprise>
Thanks for all the help! We are going to look into OpenPGP and OpenSSL
(since we may need it for our web server anyway).
--jah
-----Original Message-----
From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org]
On Behalf Of David Shaw
Sent: Tuesday, 13 February, 2007 09:43
To: gnupg-users at gnupg.org
Subject: Re: Sending Public Key
On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote:
> Thanks for the reply (and keeping me from making a big mistake)...
>
> So, for doing basic data encryption / transmission, what's the right way
to
> go? We just need to do public key encryption, send the data (via email or
> postal), decrypt on a backend.
It sounds like straight OpenPGP will do the job for you. It is a
well-understood and widely supported protocol for public key
encryption. GnuPG can do what you need right out of the box, and can
handle both email and postal easily.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From roam at ringlet.net Wed Feb 14 09:22:19 2007
From: roam at ringlet.net (Peter Pentchev)
Date: Wed, 14 Feb 2007 10:22:19 +0200
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <45D20B7C.8030909@py-soft.co.uk>
References: <20070104.141847.12788317.kazu@iij.ad.jp>
<20070105194302.GH1278@curie-int.orbis-terrarum.net>
<87wt33l1t7.fsf@wheatstone.g10code.de>
<45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk>
<45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk>
<45D20B7C.8030909@py-soft.co.uk>
Message-ID: <20070214082219.GA1956@straylight.m.ringlet.net>
On Tue, Feb 13, 2007 at 07:03:24PM +0000, Benjamin Donnachie wrote:
> Benjamin Donnachie wrote:
> > How embarrassing... my mistake - I was still using the old patched version!
>
> Ah-ha! That's better! As a quick test I threw together the following
> helper application:
>
> /*
> ** Mac OS fails to process bundle information correctly
> ** for pinentry-mac.
> **
> ** This quick hack attempts to address that.
> **
> */
>
> #include
>
> int main()
> {
> return system
> ("/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac");
> }
Is there any reason for not using execv(3)?
(disclaimer: not tested on PPC or MacOS X or, really, anything besides
FreeBSD/i386 and Debian/i386...)
#include
#include
#ifndef __unused
#if defined(__GNUC__) && !defined(__INTEL_COMPILER)
#define __unused __attribute__((unused))
#else /* __GNUC__ */
#if defined(__INTEL_COMPILER)
#define __unused __attribute__((__unused__))
#else /* __INTEL_COMPILER */
#define __unused
#endif /* __INTEL_COMPILER */
#endif /* __GNUC__ */
#endif /* __unused */
#define APP "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"
int main(int argc __unused, char * const argv[])
{
execv(APP, argv);
perror("execv");
return (1);
}
Of course, you may skip the whole __unused dance if you know that you
are only ever going to compile it on a single OS/arch/compiler - or if
you don't care about compiler warnings :)
> Compile this using "gcc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch
> i386 -arch ppc pinentry-helper.c -o pinentry-helper" (Or download from
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-helper) and
> copy it to "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper".
>
> Then add the following to ~/.gnupg/gpg-agent.conf:
>
> pinentry-program
> "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
>
> Unpatched gpg-agent (admittedly v1.9.21) correctly invokes pinentry-mac,
> reading the GUI bundle information correctly.
>
> It needs more work to achieve a tidy solution - especially since the
> location of pinentry-mac is fixed and it fails to pass any command line
> arguments.
The above will take care of passing command-line arguments; the executable
location might be handled by a symlink or something.
> Plus I might still use NSTask instead.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Nostalgia ain't what it used to be.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20070214/4b6be4f0/attachment-0001.pgp
From benjamin at py-soft.co.uk Wed Feb 14 19:58:28 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Wed, 14 Feb 2007 18:58:28 +0000
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <20070214082219.GA1956@straylight.m.ringlet.net>
References: <20070104.141847.12788317.kazu@iij.ad.jp>
<20070105194302.GH1278@curie-int.orbis-terrarum.net>
<87wt33l1t7.fsf@wheatstone.g10code.de>
<45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk>
<45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk>
<45D20B7C.8030909@py-soft.co.uk>
<20070214082219.GA1956@straylight.m.ringlet.net>
Message-ID: <45D35BD4.1000703@py-soft.co.uk>
Peter Pentchev wrote:
> Is there any reason for not using execv(3)?
'cos I was searching through my MacOS programming book for a solution to
MacOS X not reading the GUI bundle information and it suggested using
system.
> G'luck,
Christian's suggestion of trying a shell script was perfect and makes my
life soooooo much easier! :)
Ben
From bdc at topenergy.co.nz Wed Feb 14 21:46:10 2007
From: bdc at topenergy.co.nz (Bruce Cowin)
Date: Thu, 15 Feb 2007 09:46:10 +1300
Subject: GPG4Win keys not appearing
Message-ID:
I'm using GPG4win 1.0.8. I have imported a key and have used it for encrypting a few times. I notice that sometimes when I right click on a file, this key doesn't appear in the key lists and sometimes it does. Has anyone else experienced this? Do we know why it does this?
Thanks.
Regards,
Bruce
From twoaday at gmx.net Thu Feb 15 11:04:45 2007
From: twoaday at gmx.net (Timo Schulz)
Date: Thu, 15 Feb 2007 11:04:45 +0100
Subject: GPG4Win keys not appearing
In-Reply-To:
References:
Message-ID: <45D4303D.10108@gmx.net>
Bruce Cowin wrote:
> I notice that sometimes when I right click on a file, this key doesn't appear in the key
> lists and sometimes it does. Has anyone else experienced this? Do we know why it does this?
Do you use GPGee or the WinPT File Manager?
GPGee has a website with a forum for such questions:
http://gpgee.excelcia.org/
I'm not familiar with most parts of the code so I guess it's
the best idea to use the forum and, maybe later, ask the author
directly if this is a known problem. (I'm not aware of any
bug tracker for this program)
Timo
From kfitzner at excelcia.org Thu Feb 15 12:14:02 2007
From: kfitzner at excelcia.org (Kurt Fitzner)
Date: Thu, 15 Feb 2007 04:14:02 -0700
Subject: GPG4Win keys not appearing
Message-ID: <45D4407A.50703@excelcia.org>
Hi Bruce,
I'm the author of GPGee (GPG Explorer Extensions), which from what you
have described, seems to be the component you're having problems with.
I've had several reports of keys disappearing at odd times. I've never
been able to duplicate the problem myself, so I haven't been able to
track it down completely.
My GPGee program ran into problems because it has to deal with an issue
with GnuPG where specifying the same key ring more than once causes keys
to duplicate in its output. It's quite easy to mis-configure the
gpg.conf file to cause GPG to do this, so I had to write in code in the
explorer extension that filtered this out. I am fairly certain it is
this code that is, in certain cases, misbehaving, but I've not been able
to work out exactly how.
Several times I've requested a change to GPG to cause it to not
duplicate keyring output, but this has not been done.
If you can produce a sample keyring that exhibits the disappearing key
behavior, I'll try again to track the problem down. Failing that, I
suppose enough people will just have to step up and ask for GPG to change.
Regards,
Kurt Fitzner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 305 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070215/aa5ffa3a/attachment.pgp
From nobody at dizum.com Tue Feb 13 22:30:03 2007
From: nobody at dizum.com (Nomen Nescio)
Date: Tue, 13 Feb 2007 22:30:03 +0100 (CET)
Subject: storing password lists in mails to myself on IMAP?
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
Message-ID: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
Nomen Nescio wrote:
> I use thunderbird on my laptop and desktop with an IMAP server, and
> I've been mailing myself encrypted mails with website passwords so I
> have access to them on both computers.
>
> This is just as secure as encrypting a file and copying it onto both
> computers without using e-mail as a medium, right?
>
> Or am I doing something stupid?
>
You're doing something "strange" anyway. The encryption is just as
strong either way, but any email client is liable to create temp
files and stuff which could hold unencrypted copies of your password
lists. Given that this is an IMAP account it's possible those temp
files exist on the IMAP server. :-(
From jbruni at mac.com Thu Feb 15 18:34:36 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Thu, 15 Feb 2007 09:34:36 -0800
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
<8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
Message-ID:
On Thursday, February 15, 2007, at 10:01AM, "Nomen Nescio" wrote:
>Nomen Nescio wrote:
>
>> I use thunderbird on my laptop and desktop with an IMAP server, and
>> I've been mailing myself encrypted mails with website passwords so I
>> have access to them on both computers.
>>
>> This is just as secure as encrypting a file and copying it onto both
>> computers without using e-mail as a medium, right?
>>
>> Or am I doing something stupid?
>>
>
>You're doing something "strange" anyway. The encryption is just as
>strong either way, but any email client is liable to create temp
>files and stuff which could hold unencrypted copies of your password
>lists. Given that this is an IMAP account it's possible those temp
>files exist on the IMAP server. :-(
Not true. Since encryption and decryption can only take place on the local computer, there won't be any "temp" files stored on the IMAP server.
From rjh at sixdemonbag.org Thu Feb 15 18:56:58 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 15 Feb 2007 12:56:58 -0500
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com>
<8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
Message-ID: <45D49EEA.8010009@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nomen Nescio wrote:
> Given that this is an IMAP account it's possible those temp
> files exist on the IMAP server. :-(
Can you point me to an IMAP client which does this? Or to part of the
IMAP RFC which lists "storing arbitrary data for the client's use on the
server" as a feature? Or an IMAP server which supports this?
Otherwise, this seems to be paranoid fantasy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJF1J7qAAoJELcA9IL+r4EJoFgIAK4yClL3x/iRYBiu2hDx0aQ7
90y2O0YU0T69hEDcAMKaA9AAdZFk36lPQDV1frTB7IPxf2Gq7MQrFNSo0nG1jC9i
q4DLjvUAYvFRP8ll2OZ7/u1BbyGf9+hG3WLPr1evLKJgEU8KYayGyrddkj/ZykCT
bEnC/qSKNgHh3hfpUMB/3+ma/Qg+d/q/PHJo2AMqxzR0a+gbMZYwPKl0l1G4RTC5
1iic9W+W0YQQXB55KvUIN74dycvhpH7AVuViCS4ie0O49VI+0nNnwzJMiFLrN2or
m4OnylpgV0xDcd0WH11bvZayx9Bkhry9WEE13qqhfsZGNB07iNSa0igaDlUwM0I=
=asKl
-----END PGP SIGNATURE-----
From bdc at topenergy.co.nz Thu Feb 15 21:07:20 2007
From: bdc at topenergy.co.nz (Bruce Cowin)
Date: Fri, 16 Feb 2007 09:07:20 +1300
Subject: GPG4Win keys not appearing
Message-ID:
Hi Kurt,
Yes it is GPGee I'm using. Thanks for the explanation. I'll see if I can produce the keyrings. Failing that, I guess we'll just keep trying until the key reappears or use GPG commands.
Thanks again.
Regards,
Bruce
>>> Kurt Fitzner 16/02/2007 12:14:02 a.m. >>>
Hi Bruce,
I'm the author of GPGee (GPG Explorer Extensions), which from what you
have described, seems to be the component you're having problems with.
I've had several reports of keys disappearing at odd times. I've never
been able to duplicate the problem myself, so I haven't been able to
track it down completely.
My GPGee program ran into problems because it has to deal with an issue
with GnuPG where specifying the same key ring more than once causes keys
to duplicate in its output. It's quite easy to mis-configure the
gpg.conf file to cause GPG to do this, so I had to write in code in the
explorer extension that filtered this out. I am fairly certain it is
this code that is, in certain cases, misbehaving, but I've not been able
to work out exactly how.
Several times I've requested a change to GPG to cause it to not
duplicate keyring output, but this has not been done.
If you can produce a sample keyring that exhibits the disappearing key
behavior, I'll try again to track the problem down. Failing that, I
suppose enough people will just have to step up and ask for GPG to change.
Regards,
Kurt Fitzner
From r.post at sara.nl Thu Feb 15 21:29:02 2007
From: r.post at sara.nl (Remco Post)
Date: Thu, 15 Feb 2007 21:29:02 +0100
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <45D49EEA.8010009@sixdemonbag.org>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
<45D49EEA.8010009@sixdemonbag.org>
Message-ID: <45D4C28E.4040300@sara.nl>
Robert J. Hansen wrote:
> Nomen Nescio wrote:
>> Given that this is an IMAP account it's possible those temp
>> files exist on the IMAP server. :-(
>
> Can you point me to an IMAP client which does this? Or to part of the
> IMAP RFC which lists "storing arbitrary data for the client's use on the
> server" as a feature? Or an IMAP server which supports this?
>
most mail-clients store draft e-mails on the imap server, thunderbird
does this with user-interaction, others might do the same without you
knowing. Anything can be stored on the mailserver as a mail-message.
> Otherwise, this seems to be paranoid fantasy.
>
>
Not really. I can very well inmagine it happening without you knowing.
Of course, local temp diskspace is usually faster than an imap servers,
so very few applications will safe unfinished mail on imap without you
noticing.
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
From r.post at sara.nl Fri Feb 16 00:06:45 2007
From: r.post at sara.nl (Remco Post)
Date: Fri, 16 Feb 2007 00:06:45 +0100
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
<45D49EEA.8010009@sixdemonbag.org> <45D4C28E.4040300@sara.nl>
<47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org>
Message-ID: <45D4E785.9050209@sara.nl>
Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> most mail-clients store draft e-mails on the imap server, thunderbird
>> does this with user-interaction, others might do the same without you
>> knowing. Anything can be stored on the mailserver as a mail-message.
>
> That's true. That doesn't mean that MUAs should be thought of as
> caching your passphrases on the server. If there were MUAs in common
> use that did this, don't you think someone would have noticed by now?
>
You should if you mail yourself your passwords or passphrases. Highly
unlikely nobody would have noticed by now, but be careful with what you do.
--
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
From rjh at sixdemonbag.org Thu Feb 15 23:59:23 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 15 Feb 2007 17:59:23 -0500
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <45D4C28E.4040300@sara.nl>
References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com>
<45D49EEA.8010009@sixdemonbag.org> <45D4C28E.4040300@sara.nl>
Message-ID: <47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> most mail-clients store draft e-mails on the imap server, thunderbird
> does this with user-interaction, others might do the same without you
> knowing. Anything can be stored on the mailserver as a mail-message.
That's true. That doesn't mean that MUAs should be thought of as
caching your passphrases on the server. If there were MUAs in common
use that did this, don't you think someone would have noticed by now?
If this issue is the most pressing one in your security policy, then
either check it out for yourself or get a definitive answer from
someone you trust. Otherwise, start at the most pressing issues and
start working your way down to the low-risk items like this.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJF1OXDAAoJELcA9IL+r4EJqYoH/ihAlcm7HApA9sXe5IGLEXH1
+YCu3Y6DJWjpS4YAMPesEMmP2Ec2zfmJfLhyNTQlOeDk6ltrpTU2ER6PjR/1nTqj
GI7GEtZWCwxKZ5Eb8IwmvrQ/i64fjP+oxIfMYJwrqeWVAFRxPboxhqEvQaYXl/n7
OCPHM97dsoC/3TmMxLTQFWzqcFEdUQl2Pf6q73OGJhzPnu9e3xd2cM/J6VTsPH74
++lHeOFf5nHSwCrqsEW4Yj0O9Mbs4qfvjEvKSqazmAfeWSl/kTP0rVSZjci1+wf+
HnGGQTuD16/Kcv3VG5B4uO7SUJiEFE7mOQspc5pLVGdRaMEY0l3Gp87fZCAxMg8=
=X6pd
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJF1OXLAAoJELcA9IL+r4EJUtQIANdh8HuPEGvtwVnoX+CfwxmN
U9jO+toIgpijVaHGogcpTHaYPHMBE/qhiGoGHk+6WEElVY9nC8YJFbB8Hs89SKin
z6WNg8vyjg+ePd2UR+pn4XpeIOTF/xICakZSwNxcM90nxHbEajhCp1ZWMfsZ+W1J
55RewfWtwmDTUtH5bydg4GSJM4PNI6tUP1tVpdi81ieEHgQt75+QN5boi9qF9dWu
dMp1DACHPt5ImVunkM0u+oPGkPn2uYYhBDo/ztZRFV+bUx92PDFG+RRA+pnZCBQ5
HGz492OPoMVnFiAxefiv8GdBPmGs9ceTIbpcLDdr3EY2+wIi0N4XizjzI3AYE0s=
=SBiR
-----END PGP SIGNATURE-----
From greg at reaume.name Fri Feb 16 02:28:35 2007
From: greg at reaume.name (Greg Reaume)
Date: Thu, 15 Feb 2007 20:28:35 -0500
Subject: OpenPGP Card Digest Algorithms
Message-ID: <45D508C3.4020909@reaume.name>
Which digest algorithms does the OpenPGP card support?
I'm getting the following error when I try to use my card:
gpg: card does not support digest algorithm SHA256
gpg: signing failed: invalid argument
TIA,
Greg Reaume
From dshaw at jabberwocky.com Fri Feb 16 06:03:26 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 16 Feb 2007 00:03:26 -0500
Subject: OpenPGP Card Digest Algorithms
In-Reply-To: <45D508C3.4020909@reaume.name>
References: <45D508C3.4020909@reaume.name>
Message-ID: <20070216050326.GA27943@jabberwocky.com>
On Thu, Feb 15, 2007 at 08:28:35PM -0500, Greg Reaume wrote:
> Which digest algorithms does the OpenPGP card support?
>
> I'm getting the following error when I try to use my card:
>
> gpg: card does not support digest algorithm SHA256
> gpg: signing failed: invalid argument
The card supports SHA-1 and RIPEMD160.
David
From nobody at dizum.com Thu Feb 15 22:10:08 2007
From: nobody at dizum.com (Nomen Nescio)
Date: Thu, 15 Feb 2007 22:10:08 +0100 (CET)
Subject: storing password lists in mails to myself on IMAP?
References: <45D49EEA.8010009@sixdemonbag.org>
Message-ID: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com>
Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nomen Nescio wrote:
> > Given that this is an IMAP account it's possible those temp
> > files exist on the IMAP server. :-(
>
> Can you point me to an IMAP client which does this? Or to part of the
Amusing as it is to me anyway, Firefox will do this. Part of it's
crash recovery is saving a copy of messages you're composing every
few keystrokes. I'm not even sure you can turn the feature off, and
if you have a "everything but the kitchen sink on the server" setup
those temporary copies are stored in a draft folder *on the IMAP
server*, unencrypted.
I know for a fact it can happen because I've seen it first hand
on my own Courier/Postfix server in bold, living color.
> IMAP RFC which lists "storing arbitrary data for the client's use on
> the server" as a feature? Or an IMAP server which supports this?
>
> Otherwise, this seems to be paranoid fantasy.
Yeah. Sure it does.
Maybe you should think things through, or God forbid even run a
few tests or something before puffing your chest there Robert.
Especially when you're in the unenviable position of potentialy
being your own proof of concept.
From nobody at dizum.com Thu Feb 15 22:10:08 2007
From: nobody at dizum.com (Nomen Nescio)
Date: Thu, 15 Feb 2007 22:10:08 +0100 (CET)
Subject: storing password lists in mails to myself on IMAP?
References: <45D49EEA.8010009@sixdemonbag.org>
Message-ID: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com>
Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nomen Nescio wrote:
> > Given that this is an IMAP account it's possible those temp
> > files exist on the IMAP server. :-(
>
> Can you point me to an IMAP client which does this? Or to part of the
Amusing as it is to me anyway, Firefox will do this. Part of it's
crash recovery is saving a copy of messages you're composing every
few keystrokes. I'm not even sure you can turn the feature off, and
if you have a "everything but the kitchen sink on the server" setup
those temporary copies are stored in a draft folder *on the IMAP
server*, unencrypted.
I know for a fact it can happen because I've seen it first hand
on my own Courier/Postfix server in bold, living color.
> IMAP RFC which lists "storing arbitrary data for the client's use on
> the server" as a feature? Or an IMAP server which supports this?
>
> Otherwise, this seems to be paranoid fantasy.
Yeah. Sure it does.
Maybe you should think things through, or God forbid even run a
few tests or something before puffing your chest there Robert.
Especially when you're in the unenviable position of potentialy
being your own proof of concept.
From pcannon at riseup.net Thu Feb 15 22:28:05 2007
From: pcannon at riseup.net (pete)
Date: Thu, 15 Feb 2007 16:28:05 -0500
Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5
Message-ID: <45D4D065.3040504@riseup.net>
I have to communicate via PGP a lot via Windows, and I've been having a
problem for a while that I'm trying to avoid having to go through a
lengthy workaround. I'm running XP, Thunderbird 1.5.0.9 with GnuPG for
Windows 0.7.4 (I know, I know -- I'm downloading an update right now,
but I'm not sure that's the problem). When most people PGP me, they use
GnuPG, and it's straightforward: I enter my passphrase, and it decrypts.
However, people emailing me using PGP Desktop 9.5.2 give me a big headache.
I'll enter my passphrase, and get this error:
gpg command line and output:,C:\\Program Files\\GNU\\GnuPG\\gpg.exe
--charset utf8 --batch --no-tty --status-fd 2 -d --passphrase-fd 0
--no-use-agent ,gpg: invalid armor header: www.pgp.com\r\n,gpg: invalid
radix64 character 2E skipped,gpg: invalid radix64 character 2E
skipped,gpg: CRC error; 661020 - 8E84F7,gpg: packet(3) with unknown
version 41
I played around for a while, and found a fix for this. The top of the
message looks like this:
> -----BEGIN PGP MESSAGE-----
> Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use:
> www.pgp.com
PGP Desktop adds a second line for "www.pgp.com". If I paste the
message into notepad and delete that line, then decrypt the text file I
save, everything is fine. It's a huge hassle to do every time I have a
message, though (and a potential security issue), so I'm looking for a
way to have this decrypt regularly in Thunderbird?
Sorry if this should be in the enigmail list, I'm not quite sure where
to send it.
From rjh at sixdemonbag.org Fri Feb 16 18:16:39 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 16 Feb 2007 12:16:39 -0500
Subject: storing password lists in mails to myself on IMAP?
In-Reply-To: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com>
References: <45D49EEA.8010009@sixdemonbag.org>
<09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com>
Message-ID: <371A3ACE-9966-4B7C-8278-039616635A94@sixdemonbag.org>
> Maybe you should think things through, or God forbid even run a
> few tests or something before puffing your chest there Robert.
> Especially when you're in the unenviable position of potentialy
> being your own proof of concept.
I don't know why you have such an allergy to being shown wrong. Or
why you think I do.
It works like this: if you can find me a commonly-used IMAP client
that's this stupid, then I will welcome being shown wrong. And
really, why shouldn't I? Being wrong isn't the end of the world.
But until you can show me an IMAP client in common use which is dumb
enough to store sensitive and arbitrary data server-side, then I'm
going to continue to say this is a nonissue and you shouldn't worry
about it.
You can also assume the existence of MUAs which, when you encrypt
data, will also send an unencrypted copy to a recipient. This could
be done while still being perfectly in accordance with the OpenPGP
spec. And yet, we're not worried about MUAs doing it. Why? Because
it's so incredibly dumb that we're going to assume people are smarter
than that. The same logic applies here.
Once you show me a commonly-used IMAP client that's this stupid, I'll
happily admit that yes, I was wrong, and some IMAP client authors are
this stupid. But until then, what's the use in fearmongering?
From shavital at mac.com Fri Feb 16 22:20:14 2007
From: shavital at mac.com (Charly Avital)
Date: Fri, 16 Feb 2007 23:20:14 +0200
Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5
In-Reply-To: <45D4D065.3040504@riseup.net>
References: <45D4D065.3040504@riseup.net>
Message-ID: <45D6200E.8040103@mac.com>
pete wrote the following on 2/15/07 11:28 PM:
[...]
> I played around for a while, and found a fix for this. The top of the
> message looks like this:
>
>> -----BEGIN PGP MESSAGE-----
>> Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use:
>> www.pgp.com
>
> PGP Desktop adds a second line for "www.pgp.com".
I am a Mac registered user of PGP 9.5.2, and I have just made some
googling on the issue you raise.
I have seen examples of similar PGP headers, originated only by freeware
versions of PGP Desktop (as far back as versions 7.*), where the header
e.g.:
Version: PGPfreeware 7.0.3 for non-commercial use
Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com
comes in one single line.
I am aware that in your example, that header is longer because of the
'(Build.....) mention.
I correspond with a friend who uses a licensed PGP 9.5.2, where that
header is also shorter than the one you mention.
> If I paste the
> message into notepad and delete that line, then decrypt the text file I
> save, everything is fine. It's a huge hassle to do every time I have a
> message, though (and a potential security issue),so I'm looking for a
> way to have this decrypt regularly in Thunderbird?
>
> Sorry if this should be in the enigmail list, I'm not quite sure where
> to send it.
As far as I can remember there's an excellent list that addresses PGP
issues named PGP-Basics:
where subscribers
and moderators are always ready to help.
You can also try PGP's CTO Jon Callas , who's usually ready
to help with PGP issues.
Good luck
Charly
From dshaw at jabberwocky.com Fri Feb 16 23:51:52 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 16 Feb 2007 17:51:52 -0500
Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5
In-Reply-To: <45D4D065.3040504@riseup.net>
References: <45D4D065.3040504@riseup.net>
Message-ID: <20070216225152.GE32368@jabberwocky.com>
On Thu, Feb 15, 2007 at 04:28:05PM -0500, pete wrote:
> > -----BEGIN PGP MESSAGE-----
> > Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use:
> > www.pgp.com
>
> PGP Desktop adds a second line for "www.pgp.com". If I paste the
> message into notepad and delete that line, then decrypt the text file I
> save, everything is fine. It's a huge hassle to do every time I have a
> message, though (and a potential security issue), so I'm looking for a
> way to have this decrypt regularly in Thunderbird?
This is a problem that pops up now and then. PGP Desktop isn't adding
a second line (the "www.pgp.com"). Rather, it is adding one big
Version line, and then something in the mail chain (generally it's
their mail program) is "helping" by word wrapping the mail. Since
that Version line is really long, the www.pgp.com bit ends up on a new
line.
You might want to ask the folks mailing you to check their word
wrapping settings.
David
From benjamin at py-soft.co.uk Sat Feb 17 01:35:57 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 00:35:57 +0000
Subject: GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
Message-ID: <45D64DED.1070800@py-soft.co.uk>
I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available
at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz
(Sig available at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz.sig)
This is a Universal Binary and /should/ work on both PPC and Intel.
Save archive to disk, and then type "sudo tar xzvC / -f
/path/to/mac-gnupg-2.0.2-TEST1.tgz"
If you have not used mac-gpg2 before, you will then need to complete the
following steps:
i/ Add the new program "start gpg-agent" in Applications to the list of
programs to start on login.
ii/ Download
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist
and save in ~/.MacOSX/
iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create
~/.profile if it doesn't already exist)
iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line:
pinentry-program
"/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
v/ Log out.
Then when you log in gpg-agent should be started automatically and be
available to all applications.
This has been tested on a PPC but not Intel yet. There's a small chance
that it may not work at all on your system, but I need feedback so that
I can improve it! Once I know that it's working I will write an
installer that automates the above steps.
Remember, you can install this alongside regular gpg and if this version
doesn't work, regular gpg will be unaffected.
No patches were needed to any of the code and only libgcrypt's config.h
needed a minor edit for endian issues with the fat build.
Thanks as always to Charly for this patience. Thanks to Werner and his
team for such a great product, and thanks to the macgpg team for getting
me started! :-)
**** REMEMBER POSITIVE AND NEGATIVE FEEDBACK NEEDED!!! ****
Ben
From contactium at gmail.com Sat Feb 17 05:04:16 2007
From: contactium at gmail.com (Marc)
Date: Fri, 16 Feb 2007 23:04:16 -0500
Subject: Problem with Evolution
Message-ID: <1171685056.6052.15.camel@earth>
Hello,
I use GnuPG 1.4.3 with Ubuntu 6.10, Seahorse 0.9.5 and
Evolution 2.8.1 and I have this error message :
Because "can't connect to
`/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': Aucun fichier ou
r?pertoire de ce type
gpg: impossible de se connecter ?
`/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': connect failed
gpg: ?criture de `-'
gpg: DSA/SHA1 signature de: ? 0F70F90E Marc ?
", you may need to select different mail options.
I don't have the file S.gpg-agent.
How to include it in seahorse-akXvEN ?
Thanks
Marc.
From shavital at mac.com Sat Feb 17 08:02:44 2007
From: shavital at mac.com (Charly Avital)
Date: Sat, 17 Feb 2007 09:02:44 +0200
Subject: GnuPG v2.0.2 running on Intel Mac (was: [Macgpg-users] GnuPG v2.0.2
MAC OS install - TESTING NEEDED!)
In-Reply-To: <45D64DED.1070800@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk>
Message-ID: <45D6A894.9060505@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Benjamin Donnachie wrote the following on 2/17/07 2:35 AM:
[...]
> Thanks as always to Charly for this patience. Thanks to Werner and his
> team for such a great product, and thanks to the macgpg team for getting
> me started! :-)
>
>
> **** REMEMBER POSITIVE AND NEGATIVE FEEDBACK NEEDED!!! ****
>
> Ben
>
1. Machine:
Machine Name: Mac
Machine Model: MacBook2,1
Processor Name: Intel Core 2 Duo
Processor Speed: 2 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache (per processor): 4 MB
Memory: 2 GB
Bus Speed: 667 MHz
Boot ROM Version: MB21.00A5.B00
SMC Version: 1.13f3
2. Running perfectly:
[...]$ gpg-agent
gpg-agent: gpg-agent running and available
[...]$ gpg-agent --version
gpg-agent (GnuPG) 2.0.2
Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Tested for signing and decrypting.
3. My thanks go to Ben for his patience and dedication to have gpg2
configured for Intel Macs.
Charly
MacOS X 10.4.8 - GnuPG 1.4.6 - GnuPG2.0.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRdaokM3GMi2FW4PvAQgwcQgAlq1/ZGDw1uJpGPrcPAVK35Um+rlmCS52
Gk2up2+J08q9ODag5er5SIrczSG8yZ2zE9FBF51Ti+ZdaypDNqYMaR/7VPyVowZ2
0LcpgUp2x6b/s7cQWPjQ5CHTxRO/6eIPBqnsxm+iAkdQ7xd1C146bY/A5aR25zpv
znAVwK2OfXv1UvadxD3p5+BkUecLjw4DpG0Vf3b2WLRwuGDpdGqb3A5zKpGSSDNr
zr3sngZMZ+j99J7GTUg7dN1dX5VzWbO0ja1m/xpl8aeiYsYVuDEIxcCA0dlpVAxt
eTa5huPfyIuqP4jtJ8aBYjrbTfALsF8uv1k5SANDR0YNtUfyc+Si/A==
=jzN1
-----END PGP SIGNATURE-----
From benjamin at py-soft.co.uk Sat Feb 17 11:39:23 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 10:39:23 +0000
Subject: GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D64DED.1070800@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk>
Message-ID: <45D6DB5B.4000804@py-soft.co.uk>
Benjamin Donnachie wrote:
> I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available
> at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz
There have been a couple of issues with the tar archive - I guess I'm
too used to the command line! I'll throw together a friendlier GUI
fronted install package this afternoon and will make an announcement
when it's ready.
Ben
From shavital at mac.com Sat Feb 17 12:24:22 2007
From: shavital at mac.com (Charly Avital)
Date: Sat, 17 Feb 2007 13:24:22 +0200
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D6E09F.605@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk>
<45D6E09F.605@py-soft.co.uk>
Message-ID: <45D6E5E6.40303@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Benjamin Donnachie wrote the following on 2/17/07 1:01 PM:
> Benjamin Donnachie wrote:
>> I'll throw together a friendlier GUI fronted install
>> package this afternoon and will make an announcement
>> when it's ready.
>
> It was quicker than I thought... GUI install can be downloaded from
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.zip
>
> Double click to extract the installer from the archive and then double
> click on the newly created mac-gnupg-2.0.2-TEST1 install package.
>
> Follow the prompts, entering your password when asked, and then all
> files for gpg2 will be installed in the right places.
>
> You will still need to complete the following steps:
>
> ii/ Download
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist
> and save in ~/.MacOSX/
>
> iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create
> ~/.profile if it doesn't already exist)
>
> iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line:
> pinentry-program
> "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
>
>
> v/ Log out.
>
>
> Remember that "~" is a shortcut recognised by the command line that
> represents your home directory. So ~/.guupg/ actually means
> /Users/benjamin/.gnupg/ on *my* system!
>
> Apologies for any confusion caused by the .tgz archive. Again, the
> remaining install steps will be automated.
>
> Ben
Hi,
Although I had already managed with the command line used in the
previous release, and reported that all was working fine, I downloaded
the GUI package to test it.
Unzipped, ran, logged out/logged back in (for good measure).
Everything is working fine just as reported in my previous e-mail:
gpg-agent is running fine for signing and decrypting in Thunderbird and Mail
Thanks, Ben.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRdbl4s3GMi2FW4PvAQj/4AgAvlVhXKsYAvEz5jAEmaHGXX5Od0tcecTx
343vR8bSBh453BdtyFCO1nkDvUqnAPeBS38MqEQwIETjl125LfkyDbXEkkKwP++J
s50feCl55Ka4baYzflNqgypP3RyBRxftyriEj8CcxVmogw3bJl3tpH0RelAuUACu
s6+qKXPW58lKC+vEYj+pKTLiwQ7XzsqSAOc7TdjMdv8cJAhYVQtS/oCVOonNkFwn
Ot6rqs9efuoiX941iA+Kyx5ZJ0dtue9uSRvHss6UZ+y16NbaFKSYgNRyxL6mb4JD
Th8LFUYUzBAXsNBWbtvYFMyDKsO3Oi5V6Bq1SjL1I2zpCpqED0avlQ==
=tYp6
-----END PGP SIGNATURE-----
From benjamin at py-soft.co.uk Sat Feb 17 12:01:51 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 11:01:51 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D6DB5B.4000804@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk>
Message-ID: <45D6E09F.605@py-soft.co.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Benjamin Donnachie wrote:
> I'll throw together a friendlier GUI fronted install
> package this afternoon and will make an announcement
> when it's ready.
It was quicker than I thought... GUI install can be downloaded from
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.zip
Double click to extract the installer from the archive and then double
click on the newly created mac-gnupg-2.0.2-TEST1 install package.
Follow the prompts, entering your password when asked, and then all
files for gpg2 will be installed in the right places.
You will still need to complete the following steps:
ii/ Download
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist
and save in ~/.MacOSX/
iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create
~/.profile if it doesn't already exist)
iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line:
pinentry-program
"/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper"
v/ Log out.
Remember that "~" is a shortcut recognised by the command line that
represents your home directory. So ~/.guupg/ actually means
/Users/benjamin/.gnupg/ on *my* system!
Apologies for any confusion caused by the .tgz archive. Again, the
remaining install steps will be automated.
Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRdbgnOgNmph0Y1E2AQJfJBAAhL4GUB1SFJ8uXK6y7i39Xm4fCGJn3qc5
QmvHbh6qaovLlfaf3JSZTAlEZMysp9C1YnUQA6OIN5U5CqCMqfJcI3/9yP/s8Okn
YyoZ1e87vfgKOrQMR9MYciUnOSbj+jaY9lervfWVVs6O3x0g1Rghy9tGv5YiJ+o4
mVYHwaLJgRmXQTZUPB1I+FkpEhwKBcUhJHvCJon/yVXaWHsTXRsTsFzef+0ducXF
W1GACx2hf0FtVDcmaz9e/BCMBMl5pPe+qtPX+DUBdagmA56Vj5KYQ3RDcXkNDfhW
lsTME7w5wcVDsj3ER1TXyhNVCz0fZ1x5jjUshncILb1q+7qfSy1tdpuoawMvEqsO
AdzOgLufoTIli2DOfn4qD4TYxSKsIeBZXqfWJpj6dslABlmzmOmfrFVz6aWobg5A
YFpPJ5mAu5Psx1Z8jpTDznIgQ8BO61SCDQKT/K38nex5dQuXURdXGUQ4XSqzRkJ/
cpfiOBcHUZ7Q0rP05gvHfg7c8rvNZtNtTe843vH46cvLhe17/hjchxMSutkf9FJN
GWMwW4PG1IPFXDS0Y++1fiPBBctJIx1HoeBu2Z97kZA9v0kYa7fZcgOkZ/YIGql9
sWu7hyOr4kkq+Li2P2BDPpWduJI0+DzfKpg71vTxbnORhAKCvJLKO+So7RFq9/Ez
JYQgOPqTwGs=
=8NzE
-----END PGP SIGNATURE-----
From benjamin at py-soft.co.uk Sat Feb 17 12:29:51 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 11:29:51 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D6E5E6.40303@mac.com>
References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk>
<45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com>
Message-ID: <45D6E72F.90602@py-soft.co.uk>
Charly Avital wrote:
> Everything is working fine just as reported in my previous e-mail:
> gpg-agent is running fine for signing and decrypting in Thunderbird and Mail
Excellent news! :-)
> Version: GnuPG v1.4.6 (Darwin)
What happens if you use gpg2 for signing etc?
Take care,
Ben
From shavital at mac.com Sat Feb 17 13:01:58 2007
From: shavital at mac.com (Charly Avital)
Date: Sat, 17 Feb 2007 14:01:58 +0200
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D6E72F.90602@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk>
<45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com>
<45D6E72F.90602@py-soft.co.uk>
Message-ID: <45D6EEB6.90306@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Benjamin Donnachie wrote the following on 2/17/07 1:29 PM:
[...]
>
> What happens if you use gpg2 for signing etc?
1. In Thunderbird, changed the executable path (typed in
/usr/local/bin/gpg2), quit TB, launch TB, everything works fine.
2. I still have to find out how to change the executable path,
system-wide, in GPGPreferences (attention St?phane Corth?sy).
Ben, have a fine week end.
Charly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.2 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRdbuqc3GMi2FW4PvAQideggAr4y9KyqMbQa1j/naigVBlQiB6dBV+Nt6
HPyjyT6WkVl2dDAokuw25qkQK3oZpY2i7aCKXIIDNbhalW6UQevxmzif4WZsNZ5W
75ubuouBv2plSEPbdadQIZ8DjzbhX8kKg+KAv1dCM/n/mIho/MIRaHZ5KW+rOAJk
9RL3Mw5A9zfg0VCzly8svw4BGDPqjy+LTNURaWxBh9f0eVdMQmEMe9CtFyJbfGHz
bdGnA9nPsabTRUyowWqFbDlAxkHc402azKDBuMb79Wqlgwe4TWe366BQ1fP7GLkB
uCOIfXVnXY/juIHTIKDNXVWLsszXDosqB0eJbGTwqWjU61lJbY3+oA==
=qbWn
-----END PGP SIGNATURE-----
From benjamin at py-soft.co.uk Sat Feb 17 13:18:42 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 12:18:42 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D6EEB6.90306@mac.com>
References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk>
<45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com>
<45D6E72F.90602@py-soft.co.uk> <45D6EEB6.90306@mac.com>
Message-ID: <45D6F2A2.1030506@py-soft.co.uk>
Charly Avital wrote:
>> What happens if you use gpg2 for signing etc?
> 1. In Thunderbird, changed the executable path (typed in
> /usr/local/bin/gpg2), quit TB, launch TB, everything works fine.
> Version: GnuPG v2.0.2 (Darwin)
Fantastic news! :-)))) Libgcrypt took a while to convince to build as a
Universal Binary and I was concerned that it may not work on Intels.
I've been over the executables with a fine tooth comb (okay, just otool
-L) and there are not dependencies outside the Apple provided libraries,
so the install should work on all Tiger Macs whether Intel or PPC! :-)
(At least that's the theory!)
Be
From benjamin at py-soft.co.uk Sat Feb 17 14:36:42 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 13:36:42 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D64DED.1070800@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk>
Message-ID: <45D704EA.4030301@py-soft.co.uk>
Benjamin Donnachie wrote:
> No patches were needed to any of the code and only libgcrypt's config.h
> needed a minor edit for endian issues with the fat build.
Unfortunately, gpg v2.0.2 does not appear to recognise the option
pcsc-driver anymore:
$ gpg2 --pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC
--card-status
gpg: Invalid option "--pcsc-driver"
Despite the following in the man page:
--pcsc-driver file
Use file to access the smartcard reader. The current default is
`libpcsclite.so.1' for GLIBC based systems, `/Sys-
tem/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X, `win-
scard.dll' for Windows and `libpcsclite.so' for other systems.
Neither scdaemon:
/* The card dirver we use by default for PC/SC. */
#if defined(HAVE_W32_SYSTEM) || defined(__CYGWIN__)
#define DEFAULT_PCSC_DRIVER "winscard.dll"
#elif defined(__GLIBC__)
#define DEFAULT_PCSC_DRIVER "libpcsclite.so.1"
#else
#define DEFAULT_PCSC_DRIVER "libpcsclite.so"
#endif
... or pcsc-wrapper correctly default correctly on the Mac:
#define DEFAULT_PCSC_DRIVER "libpcsclite.so"
This shouldn't matter if you are using a CCID compliant smartcard reader
as TEST1 was compiled with libusb support (Though this still needs
testing). However, if you are using a PCSC smartcard reader please
download the newly patched TEST2 at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2.zip
Werner et al - any chance the source could please be patched for MacOS,
or support for the pcsc-driver option returned?
Ben
From sadam at clemson.edu Sat Feb 17 13:35:25 2007
From: sadam at clemson.edu (Adam Schreiber)
Date: Sat, 17 Feb 2007 07:35:25 -0500
Subject: Problem with Evolution
In-Reply-To: <1171685056.6052.15.camel@earth>
References: <1171685056.6052.15.camel@earth>
Message-ID: <8298be230702170435x7fb94578j1eec0c5b17bd9433@mail.gmail.com>
On 2/16/07, Marc wrote:
> I use GnuPG 1.4.3 with Ubuntu 6.10, Seahorse 0.9.5 and
> Evolution 2.8.1 and I have this error message :
>
> Because "can't connect to
> `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': Aucun fichier ou
> r?pertoire de ce type
> gpg: impossible de se connecter ?
> `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': connect failed
> gpg: ?criture de `-'
> gpg: DSA/SHA1 signature de: ? 0F70F90E Marc ?
> ", you may need to select different mail options.
>
> I don't have the file S.gpg-agent.
> How to include it in seahorse-akXvEN ?
This message is really more appropriate for the seahorse-users list so
I'm cc'ing it.
I can only imagine that you have changed how you started up
seahorse-agent and now have a stale entry at the end of
~/.gnupg/gpg.conf. Make sure that seahorse-agent is properly chained
into your session with the information found on one of our wiki
pages[1].
Cheers,
Adam
[1] http://live.gnome.org/Seahorse/SessionIntegration
From benjamin at py-soft.co.uk Sat Feb 17 21:48:42 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 17 Feb 2007 20:48:42 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D64DED.1070800@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk>
Message-ID: <45D76A2A.2090908@py-soft.co.uk>
Benjamin Donnachie wrote:
> ii/ Download
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist
> and save in ~/.MacOSX/
I forgot to mention that this file will need editing - replace all
instances of ~ with the full path to your user area. Unfortunately, it
won't accept the ~ short cut.
Ben
From wk at gnupg.org Sun Feb 18 14:07:52 2007
From: wk at gnupg.org (Werner Koch)
Date: Sun, 18 Feb 2007 14:07:52 +0100
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D704EA.4030301@py-soft.co.uk> (Benjamin Donnachie's message of
"Sat\, 17 Feb 2007 13\:36\:42 +0000")
References: <45D64DED.1070800@py-soft.co.uk> <45D704EA.4030301@py-soft.co.uk>
Message-ID: <87ps87havr.fsf@wheatstone.g10code.de>
On Sat, 17 Feb 2007 14:36, benjamin at py-soft.co.uk said:
> $ gpg2 --pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC
> --card-status
> gpg: Invalid option "--pcsc-driver"
There has never been such an option. You need to specify this option
with scdaemon. gpg2 has no internal fallback support for smart
cards. It requires gpg-agent/scdaemon.
> Despite the following in the man page:
>
> --pcsc-driver file
I'll fix the doc.
> Neither scdaemon:
I just tested scdaemon and it definitely has this option.
> #define DEFAULT_PCSC_DRIVER "libpcsclite.so"
I added a default value for OS X.
Salam-Shalom,
Werner
From benjamin at py-soft.co.uk Sun Feb 18 18:44:48 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sun, 18 Feb 2007 17:44:48 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <87ps87havr.fsf@wheatstone.g10code.de>
References: <45D64DED.1070800@py-soft.co.uk> <45D704EA.4030301@py-soft.co.uk>
<87ps87havr.fsf@wheatstone.g10code.de>
Message-ID: <45D89090.50401@py-soft.co.uk>
Werner Koch wrote:
> There has never been such an option. You need to specify this option
> with scdaemon. gpg2 has no internal fallback support for smart
> cards. It requires gpg-agent/scdaemon.
[...]
>> Despite the following in the man page:
> I'll fix the doc.
That'd be good - many thanks.
>> Neither scdaemon:
> I just tested scdaemon and it definitely has this option.
But it wasn't defaulting correctly for Mac OS X though.
>> #define DEFAULT_PCSC_DRIVER "libpcsclite.so"
> I added a default value for OS X.
That's great - many thanks! :-)
Ben
From pubmb01 at skynet.be Sun Feb 18 23:11:37 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Sun, 18 Feb 2007 23:11:37 +0100
Subject: Keyserver refresh period after gpg --send-keys
Message-ID: <200702182311.37828.pubmb01@skynet.be>
Hello,
I updated the expiration (via gpg --edit-key using expire option) of my key
and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
keyserver subkeys.pgp.net.
However key is still not updated after few hours.
What are normal delays ?
Bye,
Bruno
--
http://counter.li.org/
#353844
--
From JPClizbe at tx.rr.com Mon Feb 19 02:34:16 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Sun, 18 Feb 2007 19:34:16 -0600
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <200702182311.37828.pubmb01@skynet.be>
References: <200702182311.37828.pubmb01@skynet.be>
Message-ID: <45D8FE98.4080408@tx.rr.com>
Bruno Costacurta wrote:
> Hello,
>
> I updated the expiration (via gpg --edit-key using expire option) of my key
> and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
> keyserver subkeys.pgp.net.
> However key is still not updated after few hours.
> What are normal delays ?
Depends on the actual server that subkeys.pgp.net resolved to.
Try sending to the SKS keyserver net, hkp://pool.sks-keyservers.net
--
John P. Clizbe Inet: JPClizbe(a)tx DAWT rr DAHT com
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070218/26751f1d/attachment.pgp
From niknot at gmail.com Mon Feb 19 01:27:24 2007
From: niknot at gmail.com (NikNot)
Date: Sun, 18 Feb 2007 16:27:24 -0800
Subject: Newbie question
In-Reply-To: <87ps8je8np.fsf@wheatstone.g10code.de>
References: <45CC027200049718@> <87ps8je8np.fsf@wheatstone.g10code.de>
Message-ID: <328a5cf40702181627w3cbfd1bcq1a78269277006740@mail.gmail.com>
I used libTomCrypt (cf.: http://libtom.org/) to implement something
similar. The data viewer executable contains (somewhat concealed)
private key, and data sets are encrypted using the public key of the
pair. (LibTomCrypt is much more flexible and easier to program against
than Libgcrypt when you are building your own applications that have
nthing to do with PGP). Piping data through GPG is not a solution that
our users would appreciate.
NikNot
On 2/9/07, Werner Koch wrote:
> On Fri, 9 Feb 2007 12:01, antonio.bleile at seac02.it said:
>
> > - Does libcrypt do the job? I guess so...
>
> No. Libgcrypt provides basic building blocks but has no support for
> any specific protocol.
>
> > - The CAD data may contain a fixed header, so an atacker knowing
> > the header might use this info to easily get the private key?
>
> It all depends on the protocol used. Getting the protocol right is
> not easy and thus the best advise I can give is to use an established
> protocol like OpenPGP or CMS (pkcs#7)
>
> For your application I would simply use a different file suffix or a
> special MIME type and pipe the data through gpg while reading.
>
>
> Salam-Shalom,
>
> Werner
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From dshaw at jabberwocky.com Mon Feb 19 05:31:55 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 18 Feb 2007 23:31:55 -0500
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <200702182311.37828.pubmb01@skynet.be>
References: <200702182311.37828.pubmb01@skynet.be>
Message-ID: <20070219043155.GA6216@jabberwocky.com>
On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote:
> Hello,
>
> I updated the expiration (via gpg --edit-key using expire option) of my key
> and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
> keyserver subkeys.pgp.net.
> However key is still not updated after few hours.
> What are normal delays ?
There is not an easy answer to that question. subkeys.pgp.net is not
actually a keyserver, but rather a collection of (at the moment) 5
different keyservers. When you use it, you get one server from the
pool in a round-robin fashion. Generally speaking, any given
keyserver in the pool that you update reflects the update immediately,
but frequently people update one keyserver in the pool, but then check
for the update from another server in the pool which hasn't gotten it
yet.
That said, if you don't see an update by tomorrow, I'd send it again.
David
From eemaestro at gmail.com Mon Feb 19 15:21:56 2007
From: eemaestro at gmail.com (eemaestro at gmail.com)
Date: Mon, 19 Feb 2007 09:21:56 -0500
Subject: Local file encryption
Message-ID: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
I have been using gpg to encrypt/decrypt files on my computer "for my
eyes only". I have been using my public/private keypair on my keyring
to do so. I just discovered that I can use encrypt/decrypt local
files using a symmetric cipher--i.e., you enter one secret passphrase
to encrypt and then enter the same secret passphrase to decrypt.
Since my encryption is only for files for myself, do you think using a
symmetric cipher would be a better idea, or doesn't it matter? Or
is choice of a passphrase a bigger issue than the type of cipher --
symmetric vs. public/private keypair ?
From ml at mareichelt.de Mon Feb 19 16:41:37 2007
From: ml at mareichelt.de (markus reichelt)
Date: Mon, 19 Feb 2007 16:41:37 +0100
Subject: Key signing at FOSDEM
Message-ID: <20070219154137.GC7353@tatooine.rebelbase.local>
Hi,
this is just a reminder that there's a key signing party at FOSDEM
this year again. I am a bit late to post this note (due to carneval
season), submissions are already closed by now, but it's possible to
exchange key fingerprints according to the usual scheme (with me ;-)
FOSDEM takes place in Brussels, 24/25th this month.
http://fosdem.org/2007/keysigning#gpg for more info
PS: There's a CAcert event as well, in case you are interested.
--
left blank, right bald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070219/db276420/attachment-0001.pgp
From JPClizbe at tx.rr.com Mon Feb 19 17:05:53 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Mon, 19 Feb 2007 10:05:53 -0600
Subject: Local file encryption
In-Reply-To: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
Message-ID: <45D9CAE1.7040904@tx.rr.com>
eemaestro at gmail.com wrote:
> I have been using gpg to encrypt/decrypt files on my computer "for my
> eyes only". I have been using my public/private keypair on my keyring
> to do so. I just discovered that I can use encrypt/decrypt local
> files using a symmetric cipher--i.e., you enter one secret passphrase
> to encrypt and then enter the same secret passphrase to decrypt.
> Since my encryption is only for files for myself, do you think using a
> symmetric cipher would be a better idea, or doesn't it matter? Or
> is choice of a passphrase a bigger issue than the type of cipher --
> symmetric vs. public/private keypair ?
If your GnuPG keyring files reside on the computer, then either approach is
equivalent -- your protection is ultimately determined by the strength of the
chosen passphrase protecting the secret key or the encrypted file.
Either method will encrypt the file using a symmetric cipher. The difference is
that in OpenPGP, a random session key is generated and that is used to
symmetrically encrypt the file. Then, the session key is encrypted using the
chosen public key(s).
The passphrase is only one protection on your keypair and it's pretty much the
protection of last resort - given an easily guessable/brute-forced passphrase,
it's "Game-Over." if an attacker gets access to the keyring files. Another
protection is to physically secure your keyring files (or at the minimum, the
secret ring) by storing it on removable media of some sort: floppy, PCMCIA flash
card, USB dongle,... and removing that media when you leave the computer. Now,
an attacker must have both the media with the secret keyring as well as the
secret key's passphrase.
If removable media is not an option, or for additional security on removable
media, you may use a disk encryption product such as TrueCrypt to create an
encrypted volume to store your keyring files. (Hint: Use a new key and passphrase.)
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070219/92a15420/attachment.pgp
From nobody at dizum.com Fri Feb 16 20:10:02 2007
From: nobody at dizum.com (Nomen Nescio)
Date: Fri, 16 Feb 2007 20:10:02 +0100 (CET)
Subject: storing password lists in mails to myself on IMAP?
References: <371A3ACE-9966-4B7C-8278-039616635A94@sixdemonbag.org>
Message-ID: <93d1c364422a311e2ebf9f3ccc9aaf7c@dizum.com>
Robert J. Hansen wrote:
> > Maybe you should think things through, or God forbid even run a
> > few tests or something before puffing your chest there Robert.
> > Especially when you're in the unenviable position of potentialy
> > being your own proof of concept.
>
> I don't know why you have such an allergy to being shown wrong. Or
> why you think I do.
>
> It works like this: if you can find me a commonly-used IMAP client
> that's this stupid, then I will welcome being shown wrong. And
> really, why shouldn't I? Being wrong isn't the end of the world.
Well Robert, unless you care to further debase yourself by trying to
argue the Thunderbird isn't a "commonly-used IMAP client" you've
been handed the very example you're harping about. By two different
people no less.
It was in the part you snipped and ignored, in case you were wondering.
The bottom line is this: There's probably a lot of IMAP clients out
there that will by default or design write portions or whole copies
of unencrypted text to a server. It really doesn't take a boat load
of IQ points to realize this is the nature of IMAP.
Storing pass phrases in email at all is bad idea for a number of
reasons. You don't have many clues what a client does with it when it's
open for one. The odds you'll inadvertantly click where you shouldn't
and send an unencrypted copy some place you don't want it to go
increase dramatically too. Likewise the chances of corruption or
compromise at the hands of some script kiddie.
If we invested a little thought in the project though we could
probably come up with a few dozen reasons why mailing passwords about
is a bad idea even if you have absolute control over the hardware at
the end points of the encryption, let ALONE any scenario where you
can't guarantee they won't be written to hardware you don't own. In the
clear. :-(
From alex at bofh.net.pl Mon Feb 19 17:11:14 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Mon, 19 Feb 2007 17:11:14 +0100
Subject: Local file encryption
In-Reply-To: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
Message-ID: <20070219161114.GK7549@hell.pl>
On Mon, Feb 19, 2007 at 09:21:56AM -0500, eemaestro at gmail.com wrote:
> I have been using gpg to encrypt/decrypt files on my computer "for my
> eyes only". I have been using my public/private keypair on my keyring
> to do so. I just discovered that I can use encrypt/decrypt local
> files using a symmetric cipher--i.e., you enter one secret passphrase
> to encrypt and then enter the same secret passphrase to decrypt.
> Since my encryption is only for files for myself, do you think using a
> symmetric cipher would be a better idea, or doesn't it matter? Or
> is choice of a passphrase a bigger issue than the type of cipher --
> symmetric vs. public/private keypair ?
It doesnt matter, in both cases the files are symmetrically encrypted,
only keying method changes.
I prefer to use pubkey encryption anyway, , one passphrase less to remember.
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From jharris at widomaker.com Mon Feb 19 17:51:02 2007
From: jharris at widomaker.com (Jason Harris)
Date: Mon, 19 Feb 2007 11:51:02 -0500
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <20070219043155.GA6216@jabberwocky.com>
References: <200702182311.37828.pubmb01@skynet.be>
<20070219043155.GA6216@jabberwocky.com>
Message-ID: <20070219165102.GA82395@wilma.widomaker.com>
On Sun, Feb 18, 2007 at 11:31:55PM -0500, David Shaw wrote:
> On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote:
> > I updated the expiration (via gpg --edit-key using expire option) of my key
> > and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
> > keyserver subkeys.pgp.net.
> > However key is still not updated after few hours.
> > What are normal delays ?
Keys do get temporarily "trapped" on the SKS keyserver network until
keyserver.kjsl.com copies them over to the rest of the planet.
BTW, your subkey isn't currently usable:
sub 2048g/0CC897B5 2006-06-11 [subkey]
Key fingerprint = CCE0 5315 0022 9460 0337 6C6F 4253 1C9A 0CC8 97B5
sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f]
sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f]
> There is not an easy answer to that question. subkeys.pgp.net is not
> actually a keyserver, but rather a collection of (at the moment) 5
> different keyservers. When you use it, you get one server from the
> pool in a round-robin fashion. Generally speaking, any given
> keyserver in the pool that you update reflects the update immediately,
> but frequently people update one keyserver in the pool, but then check
> for the update from another server in the pool which hasn't gotten it
> yet.
NB: I think if GPG printed the IP address of the keyserver it used, it
could end some of this confusion.
Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/
etc. (all times are TZ=UTC):
2007-02-06 23:02:08.290952260 display_new_sig: new sig 28 by 2E604D51 added to 2E604D51 Bruno Costacurta
and these were in another batch update:
2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51 added to 2E604D51 Bruno Costacurta
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20070219/0ef23c22/attachment.pgp
From a24061 at yahoo.com Mon Feb 19 17:42:42 2007
From: a24061 at yahoo.com (Adam Funk)
Date: Mon, 19 Feb 2007 16:42:42 +0000
Subject: Local file encryption
References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com>
<45D9CAE1.7040904@tx.rr.com>
Message-ID: <2l0pa4-8rp.ln1@news.ducksburg.com>
On 2007-02-19, John Clizbe wrote:
> The passphrase is only one protection on your keypair and it's
> pretty much the protection of last resort - given an easily
> guessable/brute-forced passphrase, it's "Game-Over." if an attacker
> gets access to the keyring files. Another protection is to
> physically secure your keyring files (or at the minimum, the secret
> ring) by storing it on removable media of some sort:
Is there any reason to physically secure your *public* keyring in
normal use? (Well, I suppose you might want to hide your secret
identity!)
From dshaw at jabberwocky.com Mon Feb 19 18:19:32 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 19 Feb 2007 12:19:32 -0500
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <20070219165102.GA82395@wilma.widomaker.com>
References: <200702182311.37828.pubmb01@skynet.be>
<20070219043155.GA6216@jabberwocky.com>
<20070219165102.GA82395@wilma.widomaker.com>
Message-ID: <20070219171932.GA9543@jabberwocky.com>
On Mon, Feb 19, 2007 at 11:51:02AM -0500, Jason Harris wrote:
> > There is not an easy answer to that question. subkeys.pgp.net is not
> > actually a keyserver, but rather a collection of (at the moment) 5
> > different keyservers. When you use it, you get one server from the
> > pool in a round-robin fashion. Generally speaking, any given
> > keyserver in the pool that you update reflects the update immediately,
> > but frequently people update one keyserver in the pool, but then check
> > for the update from another server in the pool which hasn't gotten it
> > yet.
>
> NB: I think if GPG printed the IP address of the keyserver it used, it
> could end some of this confusion.
I think you're right (to print as a "verbose" thing for those who care
to know or to help with debugging), but unfortunately there is not an
easy way to get the IP address when using libcurl. I'm not
particularly eager to start playing socket games with
CURLINFO_LASTSOCKET just to get a string to print.
David
From niknot at gmail.com Mon Feb 19 19:54:17 2007
From: niknot at gmail.com (NikNot)
Date: Mon, 19 Feb 2007 10:54:17 -0800
Subject: Secret key holder identity (was: Local file encryption)
Message-ID: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
On 2/19/07, Adam Funk wrote:
> Is there any reason to physically secure your *public* keyring in
> ... (Well, I suppose you might want to hide your secret identity!)
Unfortunately, the whole GPG, with WebOfTrust construct, makes the
assumption that there is no need whatsoever to protect the identity of
the secret key holder (and, by extension, that traffic analysis - as
opposed to the secret content analysis - is not something to be
concerned with).
NikNot
From jbruni at mac.com Mon Feb 19 21:27:38 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Mon, 19 Feb 2007 13:27:38 -0700
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
Message-ID: <352D579D-A797-4216-AEE4-72BDE1413C98@mac.com>
On Feb 19, 2007, at 11:54 AM, NikNot wrote:
> On 2/19/07, Adam Funk wrote:
>> Is there any reason to physically secure your *public* keyring in
>> ... (Well, I suppose you might want to hide your secret identity!)
>
> Unfortunately, the whole GPG, with WebOfTrust construct, makes the
> assumption that there is no need whatsoever to protect the identity of
> the secret key holder (and, by extension, that traffic analysis - as
> opposed to the secret content analysis - is not something to be
> concerned with).
>
> NikNot
>
> ___
It's funny you mention this: I got into an argument with a
"consultant" about how X.509 certificates are a privacy violation
because your identity is encoded into the "subject" field. I kept
asking him, "How would you know whose cert. it is without it?" At any
rate, there are lot of bozos in the world posing as "security
experts" who shouldn't be taken seriously.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070219/e55b3db3/attachment.bin
From JPClizbe at tx.rr.com Mon Feb 19 21:27:07 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Mon, 19 Feb 2007 14:27:07 -0600
Subject: Local file encryption
In-Reply-To: <2l0pa4-8rp.ln1@news.ducksburg.com>
References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> <45D9CAE1.7040904@tx.rr.com>
<2l0pa4-8rp.ln1@news.ducksburg.com>
Message-ID: <45DA081B.2040507@tx.rr.com>
Adam Funk wrote:
> On 2007-02-19, John Clizbe wrote:
>
>> The passphrase is only one protection on your keypair and it's
>> pretty much the protection of last resort - given an easily
>> guessable/brute-forced passphrase, it's "Game-Over." if an attacker
>> gets access to the keyring files. Another protection is to
>> physically secure your keyring files (or at the minimum, the secret
>> ring) by storing it on removable media of some sort:
>
> Is there any reason to physically secure your *public* keyring in
> normal use?
Convenience of having all the files together in one place and mitigating the
need to sync keys between public keyrings are only reasons that come to mind.
Outside of convenience factors, there is no real need to secure public keyrings;
that's why the keys are public.
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070219/482613b6/attachment-0001.pgp
From niknot at gmail.com Tue Feb 20 00:16:44 2007
From: niknot at gmail.com (NikNot)
Date: Mon, 19 Feb 2007 15:16:44 -0800
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <352D579D-A797-4216-AEE4-72BDE1413C98@mac.com>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
<352D579D-A797-4216-AEE4-72BDE1413C98@mac.com>
Message-ID: <328a5cf40702191516k6d981224pf472bc9fdac19746@mail.gmail.com>
On 2/19/07, Joseph Oreste Bruni wrote:
> It's funny you mention this: I got into an argument with a
> "consultant" about how X.509 certificates are a privacy violation
> because your identity is encoded into the "subject" field. I kept
> asking him, "How would you know whose cert. it is without it?" At any
> rate, there are lot of bozos in the world posing as "security
> experts" who shouldn't be taken seriously.
(Its not clear (to me) from the above what was "the bozo" saying: that
the certificates _are_ or _are not_ a privacy violation?)
I find it very interesting that Phil Zimmemann, who invented WOT,
apparently realizes that times are changing, and that WOT has
outlived its usefullness; specifically because - unlike perhaps at
the time of birth of PGP - trafic analysis is a threat that may be
naively ignored only in geek kindergartens, but not in the real life.
NikNot
From wk at gnupg.org Tue Feb 20 11:23:50 2007
From: wk at gnupg.org (Werner Koch)
Date: Tue, 20 Feb 2007 11:23:50 +0100
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <45D35BD4.1000703@py-soft.co.uk> (Benjamin Donnachie's message of
"Wed\, 14 Feb 2007 18\:58\:28 +0000")
References: <20070104.141847.12788317.kazu@iij.ad.jp>
<20070105194302.GH1278@curie-int.orbis-terrarum.net>
<87wt33l1t7.fsf@wheatstone.g10code.de>
<45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk>
<45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk>
<45D20B7C.8030909@py-soft.co.uk>
<20070214082219.GA1956@straylight.m.ringlet.net>
<45D35BD4.1000703@py-soft.co.uk>
Message-ID: <87y7mt9lft.fsf@wheatstone.g10code.de>
On Wed, 14 Feb 2007 19:58, benjamin at py-soft.co.uk said:
> 'cos I was searching through my MacOS programming book for a solution to
> MacOS X not reading the GUI bundle information and it suggested using
> system.
I might have a solution. In agent/call-pinentry you find this code:
if ( !(pgmname = strrchr (opt.pinentry_program, '/')))
pgmname = opt.pinentry_program;
else
pgmname++;
argv[0] = pgmname;
What is does is to setup argv[0] so that there is no directory part.
Now my guess is that OS X uses argv[0] to locate the bundle and won't
find it if there is no directory part in argv[0]. To test it, you
just need to change the last line to:
argv[0] = opt.pinentry_program;
Let me know if it works and I change the code.
Using system helps because it creates a new argv[0].
Shalom-Salam,
Werner
From benjamin at py-soft.co.uk Tue Feb 20 14:48:03 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Tue, 20 Feb 2007 13:48:03 +0000
Subject: Compiling GnuPG 2.0.1 on MacOS X
In-Reply-To: <87y7mt9lft.fsf@wheatstone.g10code.de>
References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk>
<45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk>
<45CF6F07.9040809@py-soft.co.uk> <45D20B7C.8030909@py-soft.co.uk> <20070214082219.GA1956@straylight.m.ringlet.net> <45D35BD4.1000703@py-soft.co.uk>
<87y7mt9lft.fsf@wheatstone.g10code.de>
Message-ID: <45DAFC13.40103@py-soft.co.uk>
Werner Koch wrote:
> Let me know if it works and I change the code.
It works perfectly - many thanks! :-)))
> Using system helps because it creates a new argv[0].
Unfortunately, I was barking up the wrong tree after reading that MacOSX
relies upon modified copies of the shell interpreters to interpret the
bundle information. I must remember to be more critical of what I read
on the web! :-/
In theory, this should also mean that the QT version of pinentry when
properly bundled up should also work correctly.
Rather than produce a whole new install to test v2.0.2, I'll knock
together an archive with just the files that have changed.
Thanks again for all your help,
Ben
From benjamin at py-soft.co.uk Tue Feb 20 15:22:45 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Tue, 20 Feb 2007 14:22:45 +0000
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45D64DED.1070800@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk>
Message-ID: <45DB0435.1010302@py-soft.co.uk>
Benjamin Donnachie wrote:
> I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available
Patch for TEST2 available at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip
and sig at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip.sig
This implements the more secure method of involving pinentry directly.
Just download the archive, extract and then follow the instructions in
readme.txt.
Feedback still needed; particularly from OpenPGP smartcard users.
Ben
From alex at bofh.net.pl Tue Feb 20 15:24:40 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Tue, 20 Feb 2007 15:24:40 +0100
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
Message-ID: <20070220142440.GL7549@hell.pl>
On Mon, Feb 19, 2007 at 10:54:17AM -0800, NikNot wrote:
> On 2/19/07, Adam Funk wrote:
> >Is there any reason to physically secure your *public* keyring in
> >... (Well, I suppose you might want to hide your secret identity!)
>
> Unfortunately, the whole GPG, with WebOfTrust construct, makes the
> assumption that there is no need whatsoever to protect the identity of
> the secret key holder (and, by extension, that traffic analysis - as
> opposed to the secret content analysis - is not something to be
> concerned with).
That statement is definitely not true.
* PGP was the first cryptosystem to hide sender's ID (when signing+encrypting),
compare PEM to see the difference;
* one can issue himself a key pair with pseudonym User ID the same way
as with RL identity and use it normally;
* without having recipient pubkey it is impossible to determine the recipient of the message
(assuming the subkey ID is not widely known)
* it is possible to hide recipient's completely ID by using --throw-keyid
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From mail at raphael.poss.name Mon Feb 19 23:45:56 2007
From: mail at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=)
Date: Mon, 19 Feb 2007 23:45:56 +0100
Subject: Use same key for S/MIME and OpenPGP
Message-ID: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name>
Hi all,
I'm just curious: since a RSA public key is made mainly of just two
numbers, is it not possible (theoretically) to create both a valid
PGP key and X509 certificate using the same key information, and use
it with both protocols?
Also, is it not (theoretically) possible to convert X509 key
certificates to PGP key signatures or vice-versa, based on the
numerical values of the signing certificates/keys ?
If not, I would be interested to know what are the technical
limitations.
Thanks in advance for any insight,
--
Raphael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: =?ISO-8859-1?Q?Ceci_est_une_signature_=E9lectronique_PGP?=
Url : /pipermail/attachments/20070219/8a07fe62/attachment-0001.pgp
From sven at radde.name Tue Feb 20 09:24:50 2007
From: sven at radde.name (Sven Radde)
Date: Tue, 20 Feb 2007 09:24:50 +0100
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
Message-ID: <45DAB052.80505@radde.name>
NikNot schrieb:
> Unfortunately, the whole GPG, with WebOfTrust construct, makes the
> assumption that there is no need whatsoever to protect the identity of
> the secret key holder
You have, however, the possibility of using pseudonyms as UID. Only the
signers of your key would have to know about your true identity.
Another option against traffic analysis is to drop the Key-IDs of the
recipients of encrypted mail (-throw-key-ids IIRC?!).
cu, Sven
From paul.house at connect-spot.com Tue Feb 20 12:41:25 2007
From: paul.house at connect-spot.com (PaulH)
Date: Tue, 20 Feb 2007 03:41:25 -0800 (PST)
Subject: walkthrough
Message-ID: <9060231.post@talk.nabble.com>
Hi,
I have just installed gpg4win-1.0.8. I'm new to this and not sure what I'm
doing exactly and haven't the time to teach myself. I have looked for
tutorials etc but can only find using gpg from the command line. All I
simply need to do is set up a private key and be able to send encrypted
emails to a particular client. I have tried but any email sent
is not encrypted. My mail client is Outlook 2003.
At some point the emails will automatically be sent from a server, the
emails themselves will be generated by php script. Are there any issues
with using gpg in this way?
Sorry for the brevity of this post but I have my boss breathing down my neck
expecting answers.
Regards
Paul
--
View this message in context: http://www.nabble.com/walkthrough-tf3259979.html#a9060231
Sent from the GnuPG - User mailing list archive at Nabble.com.
From niknot at gmail.com Tue Feb 20 18:02:27 2007
From: niknot at gmail.com (NikNot)
Date: Tue, 20 Feb 2007 09:02:27 -0800
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <20070220142440.GL7549@hell.pl>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
<20070220142440.GL7549@hell.pl>
Message-ID: <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com>
On 2/20/07, Janusz A. Urbanowicz wrote:
> * without having recipient pubkey it is impossible to determine the recipient
> of the message (assuming the subkey ID is not widely known)
...
If the system was designed for the real world, the encrypted message
would, by default, consist of a binary data set, indistingushable from a
random stream, until and unless decrypted using the recipient's private key.
NikNot
From vedaal at hush.com Tue Feb 20 18:16:52 2007
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 20 Feb 2007 12:16:52 -0500
Subject: Secret key holder identity (was: Local file encryption)
Message-ID: <20070220171653.783712284A@mailserver9.hushmail.com>
Janusz A. Urbanowicz alex at bofh.net.pl wrote on
Tue Feb 20 15:24:40 CET 2007 :
>* it is possible to hide recipient's completely ID by using --
throw-keyid
well, not 'completely'
running gpg-list-packets or pgpdump on the encrypted message,
lists the key-type (dh or rsa), key size, and symmetric algorithm
used
so, for people who prefer 8092 rsa keys and use blowfish
[ you know who you are ;-)) ]
using throw keyid won't help much ...
vedaal
--
Click to get 125% of your home's value, super fast, no lender fees
http://tagline.hushmail.com/fc/CAaCXv1QaK0r1IT1ABMgmz21Tf3y9WCZ/
From vedaal at hush.com Tue Feb 20 19:00:38 2007
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 20 Feb 2007 13:00:38 -0500
Subject: Secret key holder identity (was: Local file encryption)
Message-ID: <20070220180039.8C7812284F@mailserver9.hushmail.com>
vedaal at hush.com vedaal at hush.com
Tue Feb 20 18:16:52 CET 2007 wrote:
> running gpg-list-packets or pgpdump on the encrypted message,
lists the key-type (dh or rsa), key size, and symmetric algorithm
used
sorry,
my mistake ;-((
pgpdump doesn't list which symmetric algo,
only lists that an mdc was or wasn't used
the actual symmetric algo type used is encrypted with the session
key to the public key
is there a way to tell though,
(without decrypting)
which symmetric algo was used?
tia,
vedaal
--
Click to consolidate your debt and lower your monthly expenses
http://tagline.hushmail.com/fc/CAaCXv1QPxbwBGTnei9j0EserPyHAirc/
From shavital at mac.com Tue Feb 20 20:00:19 2007
From: shavital at mac.com (Charly Avital)
Date: Tue, 20 Feb 2007 21:00:19 +0200
Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!
In-Reply-To: <45DB0435.1010302@py-soft.co.uk>
References: <45D64DED.1070800@py-soft.co.uk> <45DB0435.1010302@py-soft.co.uk>
Message-ID: <45DB4543.8060008@mac.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
Tested successfully on PPC (Powerbook 15" G4 1.33GHz), and Intel Core 2
Duo (MacBook 2 13" 2GHz), both running MacOS X 10.4.8.
Thank you Ben.
Charly
Benjamin Donnachie wrote the following on 2/20/07 4:22 PM:
> Benjamin Donnachie wrote:
>> I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available
>
> Patch for TEST2 available at
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip
> and sig at
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip.sig
>
> This implements the more secure method of involving pinentry directly.
>
> Just download the archive, extract and then follow the instructions in
> readme.txt.
>
> Feedback still needed; particularly from OpenPGP smartcard users.
>
> Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.2 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRdtFPs3GMi2FW4PvAQhuOgf+MwBObMdJERCtA5f4/0R30Nwm5AzIaSIr
Le1F2ZMEo31dITRpIK5pv8mhWLGeGsZz+qYu5/qbIxwNNj1kW+m8oE+ySKItwneF
jpm5UtGihBHPoRp72bIhOqHwoNK+wF/TD7Rme+iCf6sVk5lKX5FoPHii08nQ8GGN
X9ZTY3qBJGw6ZOBllKqwoGnEaWcVbRsFV3WQuvEwSVmghEVpNG17I98dKfkUsaHY
906DNuozzmlooGXkuX9LDBHM43ylyTTW7Ktlkm2SheoSGWRtvsNsVSZ6JG27SDt5
4Is4MApI8YzuXbFvk2/Ust4yDAF3OEZ7zwL3aPj+Z0txXNuWDtU1Cg==
=iZU5
-----END PGP SIGNATURE-----
From niknot at gmail.com Thu Feb 22 02:19:52 2007
From: niknot at gmail.com (NikNot)
Date: Wed, 21 Feb 2007 17:19:52 -0800
Subject: Secret key holder identity (was: Local file encryption)
In-Reply-To: <20070220180039.8C7812284F@mailserver9.hushmail.com>
References: <20070220180039.8C7812284F@mailserver9.hushmail.com>
Message-ID: <328a5cf40702211719k54e99b3cu2c9030535d998afe@mail.gmail.com>
On 2/20/07, vedaal at hush.com wrote:
> pgpdump doesn't list which symmetric algo,
> only lists that an mdc was or wasn't used
The attacker performing large-scale traffic uses his own software that
is - so it must be presumed - capable of distilling all (to him)
usefull information from the flow of messages. Consequently, the
question should not be what pgpdump will or will not produce, the
question should be what information is or is not contained in the
message previous to its decryption.
NikNot
From jharris at widomaker.com Thu Feb 22 04:06:40 2007
From: jharris at widomaker.com (Jason Harris)
Date: Wed, 21 Feb 2007 22:06:40 -0500
Subject: new (2007-02-18) keyanalyze results (+sigcheck)
Message-ID: <20070222030640.GA11959@wilma.widomaker.com>
New keyanalyze results are available at:
http://keyserver.kjsl.com/~jharris/ka/2007-02-18/
Signatures are now being checked using keyanalyze+sigcheck:
http://dtype.org/~aaronl/
Earlier reports are also available, for comparison:
http://keyserver.kjsl.com/~jharris/ka/
Even earlier monthly reports are at:
http://dtype.org/keyanalyze/
SHA-1 hashes and sizes for all the "permanent" files:
6223f3b4be449e8973f25c64ab56432561396786 14501664 preprocess.keys
bd467da8b2eb9370bdbfcebedeba81f8e290f926 8500470 othersets.txt
c8068451d690c8514377c7e721831554d06696d1 3493296 msd-sorted.txt
ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html
65f95783f1cecccbda9f03aa130fbbb3192efc00 2278 keyring_stats
3bb6777995a0896c97138dcb82c70d8bbd77b96e 1374285 msd-sorted.txt.bz2
46f0b7e3b8429e96adaac2c451af6d8e18c202c1 26 other.txt
a6beb7767223d04e7e6c7c55ab110876b28c2fd2 1844558 othersets.txt.bz2
0a4b4f0cd325836ee7fc6498d8e013e176013dde 5901206 preprocess.keys.bz2
a4654bbc1b95c89b4bed19a6b9ec18233aba12b0 14728 status.txt
86d7adf2acfc22a5de070bb7df2b24d314ecd9fd 194548 top1000table.html
36e0127b31c75a1051ba0fc32ff6d973ed468faf 29703 top1000table.html.gz
be7a6d26967cc3f5021bba2bfa0633fd3b25d305 9791 top50table.html
16c570a7443f24cb544c8eab20efec045e9fbc2d 2529 D3/D39DA0E3
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20070221/84680c07/attachment.pgp
From JPClizbe at tx.rr.com Thu Feb 22 03:57:43 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Wed, 21 Feb 2007 20:57:43 -0600
Subject: walkthrough
In-Reply-To: <9060231.post@talk.nabble.com>
References: <9060231.post@talk.nabble.com>
Message-ID: <45DD06A7.1030103@tx.rr.com>
PaulH wrote:
> Hi,
>
> I have just installed gpg4win-1.0.8. I'm new to this and not sure what I'm
> doing exactly and haven't the time to teach myself. I have looked for
> tutorials etc but can only find using gpg from the command line. All I
> simply need to do is set up a private key and be able to send encrypted
> emails to a particular client. I have tried but any email sent
> is not encrypted. My mail client is Outlook 2003.
>
> At some point the emails will automatically be sent from a server, the
> emails themselves will be generated by php script. Are there any issues
> with using gpg in this way?
>
> Sorry for the brevity of this post but I have my boss breathing down my neck
> expecting answers.
Have you installed the GnuPG Outlook plug-in? http://www.g10code.de/p-gpgol.html
Since you're encrypting all mails from a server, you may also wish to take a
look at GPGrelay: http://sites.inka.de/tesla/gpgrelay.html
--
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."
"Just how do the residents of Haiku, Hawai'i hold conversations?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070221/03dfc471/attachment.pgp
From wk at gnupg.org Thu Feb 22 09:15:53 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Feb 2007 09:15:53 +0100
Subject: walkthrough
In-Reply-To: <45DD06A7.1030103@tx.rr.com> (John Clizbe's message of "Wed\, 21
Feb 2007 20\:57\:43 -0600")
References: <9060231.post@talk.nabble.com> <45DD06A7.1030103@tx.rr.com>
Message-ID: <87mz36y5dy.fsf@wheatstone.g10code.de>
On Thu, 22 Feb 2007 03:57, JPClizbe at tx.rr.com said:
> Have you installed the GnuPG Outlook plug-in? http://www.g10code.de/p-gpgol.html
He does as it is part of gpg4win and installed by default.
Shalom-Salam,
Werner
From wk at gnupg.org Thu Feb 22 09:23:00 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Feb 2007 09:23:00 +0100
Subject: Secret key holder identity
In-Reply-To: <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com>
(niknot@gmail.com's message of "Tue\, 20 Feb 2007 09\:02\:27 -0800")
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
<20070220142440.GL7549@hell.pl>
<328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com>
Message-ID: <87irduy523.fsf@wheatstone.g10code.de>
On Tue, 20 Feb 2007 18:02, niknot at gmail.com said:
> If the system was designed for the real world, the encrypted message
> would, by default, consist of a binary data set, indistingushable from a
> random stream, until and unless decrypted using the recipient's private key.
A real world system needs to know the key for decryption and not fall
back to a time consuming mode of trial decryption with all available
secret keys. Some people are using dozens or even hundreds of secret
keys; in particular if you are using several pseudonyms or key
rotating.
OpenPGP is not designed to thwart traffic analysis. It has merely
some provisions to help such a system
Salam-Shalom,
Werner
From wk at gnupg.org Thu Feb 22 09:24:53 2007
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Feb 2007 09:24:53 +0100
Subject: Use same key for S/MIME and OpenPGP
In-Reply-To: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name>
(=?utf-8?Q?Rapha=C3=ABl?=
Poss's message of "Mon\, 19 Feb 2007 23\:45\:56 +0100")
References: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name>
Message-ID: <87ejoiy4yy.fsf@wheatstone.g10code.de>
On Mon, 19 Feb 2007 23:45, mail at raphael.poss.name said:
> I'm just curious: since a RSA public key is made mainly of just two
> numbers, is it not possible (theoretically) to create both a valid
> PGP key and X509 certificate using the same key information, and use
> it with both protocols?
Yes, you can do that. In fact we are doing this already with the
OpenPGP smart card and Scute.
> Also, is it not (theoretically) possible to convert X509 key
> certificates to PGP key signatures or vice-versa, based on the
> numerical values of the signing certificates/keys ?
It does not buy you anything unless you have not enough space to store
both keys (the case of a smart card).
Shalom-Salam,
Werner
From niknot at gmail.com Thu Feb 22 16:53:44 2007
From: niknot at gmail.com (NikNot)
Date: Thu, 22 Feb 2007 07:53:44 -0800
Subject: Secret key holder identity
In-Reply-To: <87irduy523.fsf@wheatstone.g10code.de>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
<20070220142440.GL7549@hell.pl>
<328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com>
<87irduy523.fsf@wheatstone.g10code.de>
Message-ID: <328a5cf40702220753j730ca179y525c618be8354fc@mail.gmail.com>
On 2/22/07, Werner Koch wrote:
> On Tue, 20 Feb 2007 18:02, niknot at gmail.com said:
>
> > If the system was designed for the real world, the encrypted message
> > would, by default, consist of a binary data set, indistingushable from a
> > random stream, until and unless decrypted using the recipient's private key.
>
> A real world system needs to know the key for decryption and not fall
> back to a time consuming mode of trial decryption with all available
> secret keys...
>
> OpenPGP is not designed to thwart traffic analysis. It has merely
> some provisions to help such a system
>
Thanks Werner - we agree on the OpenPGP design. I'm only trying to
point out that this is a serious limitation, more so now than at the
time PGP was born (or OpenPGP was designed).
Tempora mutantur (et nos in illis?)
NikNot
From pubmb01 at skynet.be Thu Feb 22 18:33:38 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Thu, 22 Feb 2007 18:33:38 +0100
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <20070219165102.GA82395@wilma.widomaker.com>
References: <200702182311.37828.pubmb01@skynet.be>
<20070219043155.GA6216@jabberwocky.com>
<20070219165102.GA82395@wilma.widomaker.com>
Message-ID: <200702221833.38067.pubmb01@skynet.be>
On Monday 19 February 2007 17:51:02 Jason Harris wrote:
> On Sun, Feb 18, 2007 at 11:31:55PM -0500, David Shaw wrote:
> > On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote:
> > > I updated the expiration (via gpg --edit-key using expire option) of my
> > > key and (re)sended it to a keyserver (via gpg --send-keys [my key id])
> > > to keyserver subkeys.pgp.net.
> > > However key is still not updated after few hours.
> > > What are normal delays ?
>
> Keys do get temporarily "trapped" on the SKS keyserver network until
> keyserver.kjsl.com copies them over to the rest of the planet.
>
> BTW, your subkey isn't currently usable:
>
> sub 2048g/0CC897B5 2006-06-11 [subkey]
> Key fingerprint = CCE0 5315 0022 9460 0337 6C6F 4253 1C9A 0CC8 97B5
> sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash:
> type 2, e0 0f] sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08]
> [keybind, hash: type 2, e0 0f]
>
> > There is not an easy answer to that question. subkeys.pgp.net is not
> > actually a keyserver, but rather a collection of (at the moment) 5
> > different keyservers. When you use it, you get one server from the
> > pool in a round-robin fashion. Generally speaking, any given
> > keyserver in the pool that you update reflects the update immediately,
> > but frequently people update one keyserver in the pool, but then check
> > for the update from another server in the pool which hasn't gotten it
> > yet.
>
> NB: I think if GPG printed the IP address of the keyserver it used, it
> could end some of this confusion.
>
> Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/
> etc. (all times are TZ=UTC):
>
> 2007-02-06 23:02:08.290952260 display_new_sig: new sig 28 by 2E604D51
> added to 2E604D51 Bruno Costacurta 23:02:08.291023778 display_new_sig: new subkey sig by 2E604D51 added to
> 2E604D51
>
> these were first seen from pgp.nic.ad.jp:
>
> 2007-02-16 13:41:00.597122207 display_new_sig: new sig 1 by 2E604D51
> added to 2E604D51 Bruno Costacurta 13:41:00.597182829 display_new_sig: new sig 2 by 2E604D51 added to 2E604D51
> pubmb02
>
> and these were in another batch update:
>
> 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51
> added to 2E604D51 Bruno Costacurta 23:02:27.870319946 display_new_sig: new sig 72 by 2E604D51 added to
> 2E604D51 pubmb02
Well, I still cannot see any refresh of my keys...sent 4 days ago.
Should I try again ?
Thanks.
Bruno
From jharris at widomaker.com Thu Feb 22 20:41:32 2007
From: jharris at widomaker.com (Jason Harris)
Date: Thu, 22 Feb 2007 14:41:32 -0500
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <200702221833.38067.pubmb01@skynet.be>
References: <200702182311.37828.pubmb01@skynet.be>
<20070219043155.GA6216@jabberwocky.com>
<20070219165102.GA82395@wilma.widomaker.com>
<200702221833.38067.pubmb01@skynet.be>
Message-ID: <20070222194132.GA17370@wilma.widomaker.com>
On Thu, Feb 22, 2007 at 06:33:38PM +0100, Bruno Costacurta wrote:
> On Monday 19 February 2007 17:51:02 Jason Harris wrote:
> > Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/
> > etc. (all times are TZ=UTC):
> > 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51
> > added to 2E604D51 Bruno Costacurta > 23:02:27.870319946 display_new_sig: new sig 72 by 2E604D51 added to
> > 2E604D51 pubmb02
(NB: Nothing new has been seen by keyserver.kjsl.com since this entry.)
> Well, I still cannot see any refresh of my keys...sent 4 days ago.
> Should I try again ?
Yes, you need to. None of the 45 keyservers I just checked had anything
to add to your key.
keyserver.ganneff.de, currently part of subkeys.pgp.net, isn't
SKS-synchronizing right now, but it does email kjsl.com and didn't have
anything new either.
Right now, your full key in binary form hashes (SHA-1) to:
144278d5c7c4b138b76800333fe372bff355ee2c 2127 ./keyserver.kjsl.com/pks/lookup?op=get&search=0x2E604D51.gpg
e17306f3a61d468ad4a436b727c64461a7d4b604 2127 ./gpg-keyserver.de/pks/lookup?op=get&search=0x2E604D51.gpg
the latter matching on all the SKS servers I checked, except:
c751fdc463fae7f9525b5ab62a29439f9107683c 1735 ./keyserver.ganneff.de/pks/lookup?op=get&search=0x2E604D51.gpg
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20070222/5d30127a/attachment.pgp
From bchill at bch.net Fri Feb 23 01:17:56 2007
From: bchill at bch.net (Brian C. Hill)
Date: Thu, 22 Feb 2007 16:17:56 -0800
Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8
Message-ID: <20070223001756.GC16116@romulus.mondobox.com>
I built all of the requirements, but it wants libassuan built
with funopen / fopencooke support, which aren't available on SunOS 5.8
(Solaris 8).
I have scoured the docs, the FAQ and the web in general looking
for this issue, but found only one report (unresolved).
I have a feeling I am missing something.
How have other managed to build gnupg on SunOS 5.8?
Brian
From pubmb01 at skynet.be Fri Feb 23 09:57:40 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Fri, 23 Feb 2007 09:57:40 +0100
Subject: Attribute 'comment'
Message-ID: <200702230957.40762.pubmb01@skynet.be>
Hello,
is it possible to change 'comment' attribute, ie. via gpg options
like --comment [string] or --no-comments ?
Bye,
Bruno
From wk at gnupg.org Fri Feb 23 10:48:16 2007
From: wk at gnupg.org (Werner Koch)
Date: Fri, 23 Feb 2007 10:48:16 +0100
Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8
In-Reply-To: <20070223001756.GC16116@romulus.mondobox.com> (Brian C. Hill's
message of "Thu\, 22 Feb 2007 16\:17\:56 -0800")
References: <20070223001756.GC16116@romulus.mondobox.com>
Message-ID: <878xeptdb3.fsf@wheatstone.g10code.de>
On Fri, 23 Feb 2007 01:17, bchill at bch.net said:
> How have other managed to build gnupg on SunOS 5.8?
You can't build GnuPG 2 on a system without funopen. We will
eventually solve this by replacing most stdio operations by a our own
and enhanced stdio implementation. Unfortunately there is no other
way to do that.
Shalom-Salam,
Werner
From dshaw at jabberwocky.com Fri Feb 23 14:09:20 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 23 Feb 2007 08:09:20 -0500
Subject: Attribute 'comment'
In-Reply-To: <200702230957.40762.pubmb01@skynet.be>
References: <200702230957.40762.pubmb01@skynet.be>
Message-ID: <20070223130920.GA30939@jabberwocky.com>
On Fri, Feb 23, 2007 at 09:57:40AM +0100, Bruno Costacurta wrote:
> Hello,
>
> is it possible to change 'comment' attribute, ie. via gpg options
> like --comment [string] or --no-comments ?
If you're referring to the "Comment: xxxxxx" string that appears in
the header of armored messages, then yes. Just use "--comment xxxxx"
David
From alex at bofh.net.pl Fri Feb 23 14:35:22 2007
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Fri, 23 Feb 2007 14:35:22 +0100
Subject: Secret key holder identity
In-Reply-To: <87irduy523.fsf@wheatstone.g10code.de>
References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com>
<20070220142440.GL7549@hell.pl>
<328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com>
<87irduy523.fsf@wheatstone.g10code.de>
Message-ID: <20070223133521.GN7549@hell.pl>
On Thu, Feb 22, 2007 at 09:23:00AM +0100, Werner Koch wrote:
> On Tue, 20 Feb 2007 18:02, niknot at gmail.com said:
>
> > If the system was designed for the real world, the encrypted message
> > would, by default, consist of a binary data set, indistingushable from a
> > random stream, until and unless decrypted using the recipient's private key.
>
> A real world system needs to know the key for decryption and not fall
> back to a time consuming mode of trial decryption with all available
> secret keys. Some people are using dozens or even hundreds of secret
> keys; in particular if you are using several pseudonyms or key
> rotating.
>
> OpenPGP is not designed to thwart traffic analysis. It has merely
> some provisions to help such a system
And the modern anti-terrorist research and operational practice shows, that
you dont need to know actual meessage to do law-enforcement-level-meaningful
traffic analysis.
Alex
--
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
-- Czerski
From pubmb01 at skynet.be Fri Feb 23 21:22:48 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Fri, 23 Feb 2007 21:22:48 +0100
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <200702182311.37828.pubmb01@skynet.be>
References: <200702182311.37828.pubmb01@skynet.be>
Message-ID: <200702232122.48986.pubmb01@skynet.be>
On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote:
> Hello,
>
> I updated the expiration (via gpg --edit-key using expire option) of my key
> and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
> keyserver subkeys.pgp.net.
> However key is still not updated after few hours.
> What are normal delays ?
>
> Bye,
> Bruno
Hello,
it seems to works better now but all changes are not reflected.
Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid and
delete uneeded signatures. Save and list reflect my changes.
However, after export, only new expiration and uid are present, other removed
items are still present.
How to export all the changes ?
Thanks for attention.
Bye,
Bruno
--
Bruno Costacurta
PGP key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070223/7f2eaf08/attachment.pgp
From JPClizbe at tx.rr.com Sat Feb 24 00:22:34 2007
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Fri, 23 Feb 2007 17:22:34 -0600
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <200702232122.48986.pubmb01@skynet.be>
References: <200702182311.37828.pubmb01@skynet.be>
<200702232122.48986.pubmb01@skynet.be>
Message-ID: <45DF773A.8060909@tx.rr.com>
Bruno Costacurta wrote:
> On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote:
>> Hello,
>>
>> I updated the expiration (via gpg --edit-key using expire option) of my key
>> and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to
>> keyserver subkeys.pgp.net.
>> However key is still not updated after few hours.
>> What are normal delays ?
>>
>> Bye,
>> Bruno
>
> Hello,
> it seems to works better now but all changes are not reflected.
>
> Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid and
> delete uneeded signatures. Save and list reflect my changes.
> However, after export, only new expiration and uid are present, other removed
> items are still present.
> How to export all the changes ?
You can't delete information from a keyserver that synchronizes with others.
That's why new information and changes show up, but your deletions do not.
--
John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet
Golden Bear Networks PGP/GPG KeyID: 0x608D2A10
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070223/3c0c7b92/attachment-0001.pgp
From m_d_berger_1900 at yahoo.com Sat Feb 24 18:49:17 2007
From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED)
Date: Sat, 24 Feb 2007 12:49:17 -0500
Subject: Why a subkey?
Message-ID:
On FC4 with gpg 1.4.1:
I created a new user account and used gpg --gen-key .
I selected RSA (sign only) since it was the only RSA
option.
It says the key cannot be used for encryption, and a
subkey must be generated. Why? Is it related to
(sign only)? If so, why was (sign and encrypt)
not offered as an option?
I did this a year or two ago, and I do not remember
needing a subkey. I still have that keyring in
under another user.
Thanks for your help.
Mike.
From rjh at sixdemonbag.org Sat Feb 24 19:42:09 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 24 Feb 2007 12:42:09 -0600
Subject: Why a subkey?
In-Reply-To:
References:
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> On FC4 with gpg 1.4.1:
Please upgrade. There have been a couple of security updates since
1.4.1.
> It says the key cannot be used for encryption, and a
> subkey must be generated. Why?
Why must an encryption subkey be generated? Because you don't have
one. If you mean "why doesn't GnuPG create an encryption subkey at
the same time it creates a signing subkey, the way it does for DSS/
ElGamal keypairs", for that one you'd have to ask the developers.
It's never made a lick of sense to me, myself.
> If so, why was (sign and encrypt) not offered as an option?
Having one key that can be used for both signing and encryption
operations is thought by some to be bad crypto policy. The problems
with it appear to be mostly theoretical, though.
> I did this a year or two ago, and I do not remember
> needing a subkey. I still have that keyring in
> under another user.
If your other key was DSS/ElGamal, that's because GnuPG created the
additional subkey for you at the same time as your signing subkey. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJF4IcBAAoJELcA9IL+r4EJ7yEH/jhlcNgLfmiptvSd238r9Ox5
89TNIXp0O4hb0hcps8nOTax7Y1k1JFGKR1UetTtExUSGmqHqYAn5mFj1RJCLkhl1
3WKxONKHHyzx1rDdXm58veaEUdr+BFwrNwjTSioqosw40k37Wng1/kMN+KTfkA1i
8DYGIEs6X5zswIAET3BDsDUpdXp5XHBlpg2W+DevNOXACpA20TOy8yFYoSXVbg5O
HcpeqVJvvtPBIYkC77OWER4Eb5GQ/nD0BNWTeC0F0JBSflR6vYkNgi8hf6sqZGih
ojd+qJDVJNxoUNuS+6/hZVbbpmX49HlQJHuzhcvf3mlPmrpzw6wo7rRE2cIlj3U=
=LIcg
-----END PGP SIGNATURE-----
From m_d_berger_1900 at yahoo.com Sat Feb 24 20:18:18 2007
From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED)
Date: Sat, 24 Feb 2007 14:18:18 -0500
Subject: Why a subkey?
References:
Message-ID:
On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> On FC4 with gpg 1.4.1:
>
> Please upgrade. There have been a couple of security updates since
> 1.4.1.
>
>> It says the key cannot be used for encryption, and a
>> subkey must be generated. Why?
>
> Why must an encryption subkey be generated? Because you don't have
> one. If you mean "why doesn't GnuPG create an encryption subkey at
> the same time it creates a signing subkey, the way it does for DSS/
> ElGamal keypairs", for that one you'd have to ask the developers.
> It's never made a lick of sense to me, myself.
>
>> If so, why was (sign and encrypt) not offered as an option?
>
> Having one key that can be used for both signing and encryption
> operations is thought by some to be bad crypto policy. The problems
> with it appear to be mostly theoretical, though.
>
>> I did this a year or two ago, and I do not remember
>> needing a subkey. I still have that keyring in
>> under another user.
>
> If your other key was DSS/ElGamal, that's because GnuPG created the
> additional subkey for you at the same time as your signing subkey. :)
>
>
[...]
Now I created a key using "DSA and Elgamal (default)". As you
suggest, it created a subkey for me, as can be seen in gpg --list-keys.
If I run gpg --list-keys on my old keyring, I see no subkeys in the
old keys (Apr 2006), but there is a subkey in the public key imported
from the new user account. Has there been a change? Are my old
keys obsolete? I don't remember if I upgraded gpg in the interim
(present version 1.4.1), but I will upgrade, as you suggest.
Thanks,
Mike.
From bok at pinoymac.org Sat Feb 24 06:36:28 2007
From: bok at pinoymac.org (boksbox)
Date: Fri, 23 Feb 2007 21:36:28 -0800 (PST)
Subject: Update 1.4.6 Mac OS configure error
Message-ID: <9131273.post@talk.nabble.com>
I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I followed the
compile instruction I encounter an error. When I do ./configure an error
comes up at the end of the display and according to the logs:
...
configure:3397: checking for cl.exe
configure:3427: result: no
configure:3456: error: no acceptable C compiler found in $PATH
See `config.log' for more details.
I'm stuck. Any help would be appreciated. I'm using PPC Mac running 10.4.8
--
View this message in context: http://www.nabble.com/Update-1.4.6-Mac-OS-configure-error-tf3282741.html#a9131273
Sent from the GnuPG - User mailing list archive at Nabble.com.
From sven at radde.name Sat Feb 24 19:55:58 2007
From: sven at radde.name (Sven Radde)
Date: Sat, 24 Feb 2007 19:55:58 +0100
Subject: Why a subkey?
In-Reply-To:
References:
Message-ID: <45E08A3E.5090000@radde.name>
Robert J. Hansen schrieb:
>> If so, why was (sign and encrypt) not offered as an option?
>
> Having one key that can be used for both signing and encryption
> operations is thought by some to be bad crypto policy. The problems
> with it appear to be mostly theoretical, though.
If you use "gpg --expert --gen-key", it will offer the selection:
(7) RSA (set your own capabilities)
This lets you choose a key which can be used for signing and encrypting.
Anyway, if there's a question "Why a subkey?", its partner-question
would be: "Why not?"
cu, Sven
From dan_yt555 at yahoo.com Sat Feb 24 23:15:10 2007
From: dan_yt555 at yahoo.com (Dan Tipton)
Date: Sat, 24 Feb 2007 14:15:10 -0800 (PST)
Subject: Available and default options
Message-ID: <229949.35374.qm@web63110.mail.re1.yahoo.com>
Hello,
I have a question about how GPG assigns default
preferences to a key. When I check the version I get a
list of supported ciphers, digests, etc:
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2
But then when I create a key with the default settings
& do a showpref, the key doesn't include all supported
options:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA1, RIPEMD160
Compression: ZLIB, ZIP, Uncompressed
It seems to me that the key should include all the
options it is capable of using.
I know I can add all of these options but why aren't
they there by default?
Thanks,
Dan
____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/
From jbruni at mac.com Mon Feb 26 17:42:43 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Mon, 26 Feb 2007 09:42:43 -0700
Subject: Update 1.4.6 Mac OS configure error
In-Reply-To: <9131273.post@talk.nabble.com>
References: <9131273.post@talk.nabble.com>
Message-ID: <72D8AD29-9E79-4573-8B57-0D619F80A471@mac.com>
Do you have the developer tools installed?
Joe
On Feb 23, 2007, at 10:36 PM, boksbox wrote:
>
> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I
> followed the
> compile instruction I encounter an error. When I do ./configure
> an error
> comes up at the end of the display and according to the logs:
> ...
> configure:3397: checking for cl.exe
> configure:3427: result: no
> configure:3456: error: no acceptable C compiler found in $PATH
> See `config.log' for more details.
>
> I'm stuck. Any help would be appreciated. I'm using PPC Mac
> running 10.4.8
>
> --
> View this message in context: http://www.nabble.com/Update-1.4.6-
> Mac-OS-configure-error-tf3282741.html#a9131273
> Sent from the GnuPG - User mailing list archive at Nabble.com.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070226/47d6cf3f/attachment.bin
From rjh at sixdemonbag.org Mon Feb 26 17:52:03 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 26 Feb 2007 10:52:03 -0600
Subject: Update 1.4.6 Mac OS configure error
In-Reply-To: <9131273.post@talk.nabble.com>
References: <9131273.post@talk.nabble.com>
Message-ID: <02742BE0-8302-4AC3-8C0B-169D13690506@sixdemonbag.org>
> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I
> followed the
> compile instruction I encounter an error. When I do ./configure
> an error
> comes up at the end of the display and according to the logs:
The configure script can't find a C compiler. Make sure you have the
XCode development tools installed.
Once you install them, visit http://developer.apple.com and sign up
for an Apple Developer membership (it's free). Then download the
latest and greatest XCode tools. Once those are installed, then do
the ./configure dance over again.
Alternately, try looking at Fink (http://fink.sf.net), which has a
GnuPG package available.
From benjamin at py-soft.co.uk Mon Feb 26 18:57:17 2007
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Mon, 26 Feb 2007 17:57:17 +0000
Subject: Update 1.4.6 Mac OS configure error
In-Reply-To: <9131273.post@talk.nabble.com>
References: <9131273.post@talk.nabble.com>
Message-ID: <45E31F7D.9060400@py-soft.co.uk>
boksbox wrote:
> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I followed the
> compile instruction I encounter an error.
Try my gnupg 1.4.6 binary install at
http://www.py-soft.co.uk/~benjamin/download/mac-gpg/GnuPG1.4.6.dmg
Ben
From pubmb01 at skynet.be Mon Feb 26 21:33:34 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Mon, 26 Feb 2007 21:33:34 +0100
Subject: Keyserver refresh period after gpg --send-keys
In-Reply-To: <45DF773A.8060909@tx.rr.com>
References: <200702182311.37828.pubmb01@skynet.be>
<200702232122.48986.pubmb01@skynet.be> <45DF773A.8060909@tx.rr.com>
Message-ID: <200702262133.34950.pubmb01@skynet.be>
On Saturday 24 February 2007 00:22:34 John Clizbe wrote:
> Bruno Costacurta wrote:
> > On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote:
> >> Hello,
> >>
> >> I updated the expiration (via gpg --edit-key using expire option) of my
> >> key and (re)sended it to a keyserver (via gpg --send-keys [my key id])
> >> to keyserver subkeys.pgp.net.
> >> However key is still not updated after few hours.
> >> What are normal delays ?
> >>
> >> Bye,
> >> Bruno
> >
> > Hello,
> > it seems to works better now but all changes are not reflected.
> >
> > Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid
> > and delete uneeded signatures. Save and list reflect my changes.
> > However, after export, only new expiration and uid are present, other
> > removed items are still present.
> > How to export all the changes ?
>
> You can't delete information from a keyserver that synchronizes with
> others. That's why new information and changes show up, but your deletions
> do not.
Well...it makes sense. Thanks for your attention and answer.
Bye,
Bruno
From dshaw at jabberwocky.com Mon Feb 26 21:52:31 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 26 Feb 2007 15:52:31 -0500
Subject: Available and default options
In-Reply-To: <229949.35374.qm@web63110.mail.re1.yahoo.com>
References: <229949.35374.qm@web63110.mail.re1.yahoo.com>
Message-ID: <20070226205231.GC5853@jabberwocky.com>
On Sat, Feb 24, 2007 at 02:15:10PM -0800, Dan Tipton wrote:
> Hello,
>
> I have a question about how GPG assigns default
> preferences to a key. When I check the version I get a
> list of supported ciphers, digests, etc:
>
> Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
> TWOFISH
> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
> But then when I create a key with the default settings
> & do a showpref, the key doesn't include all supported
> options:
>
> Cipher: AES256, AES192, AES, CAST5, 3DES
> Digest: SHA1, RIPEMD160
> Compression: ZLIB, ZIP, Uncompressed
>
>
> It seems to me that the key should include all the
> options it is capable of using.
This is an example of "be liberal in what you accept, conservative in
what you generate". In theory, it shouldn't matter what algorithms
were listed in the preference list as the OpenPGP protocol would never
allow using an algorithm that couldn't be handled by all users.
In practice, however, it turned out that not all programs properly
handled preferences, and there were issues with people generating a
key with one program and using it on another without resetting the
preferences to what the new program could handle, and things like
that.
Even though most of the old systems are no longer used, the end result
is the preference list as you see it now, and there is high confidence
that it will interoperate with anything. Nothing stops you from
putting whatever algorithm you want in there, of course.
David
From m_d_berger_1900 at yahoo.com Mon Feb 26 23:23:31 2007
From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED)
Date: Mon, 26 Feb 2007 17:23:31 -0500
Subject: Why a subkey?
References:
<45E08A3E.5090000__16914.5108121031$1172507410$gmane$org@radde.name>
Message-ID:
On Sat, 24 Feb 2007 19:55:58 +0100, Sven Radde wrote:
> Robert J. Hansen schrieb:
>>> If so, why was (sign and encrypt) not offered as an option?
>>
>> Having one key that can be used for both signing and encryption
>> operations is thought by some to be bad crypto policy. The problems
>> with it appear to be mostly theoretical, though.
>
> If you use "gpg --expert --gen-key", it will offer the selection:
> (7) RSA (set your own capabilities)
> This lets you choose a key which can be used for signing and encrypting.
>
> Anyway, if there's a question "Why a subkey?", its partner-question
> would be: "Why not?"
>
> cu, Sven
Thanks four your "-expert" suggestion. While I would consider
myself a "-novice" with regard to gpg, it is, perhaps, something
I should try. Your "Why not?" question is another matter. If you
are employed, I suggest you try it on your manager next time you
are required to justify a costly idea.
Mike.
From jsd at cluttered.com Tue Feb 27 01:36:37 2007
From: jsd at cluttered.com (Jon Drukman)
Date: Mon, 26 Feb 2007 16:36:37 -0800
Subject: Newbie Q: decryption
Message-ID:
A company I'm getting a data feed from sent me a public key and an
encrypted file. I want to decrypt it, but I don't know I'm doing. My
naive approach is not working:
$ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: mpi too large for this implementation (40856 bits)
the public key is in the file "nf_key". i thought i imported it but i
don't how to tell if i did it right, or if it's even the right key for
the file.
help!
-jsd-
From jbruni at mac.com Tue Feb 27 02:54:36 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Mon, 26 Feb 2007 18:54:36 -0700
Subject: Newbie Q: decryption
In-Reply-To:
References:
Message-ID: <87A56D2F-7479-40EE-8C51-DEE4EAFFF82B@mac.com>
Two things:
1) You can't decrypt a file with a public key. Obviously the company
who sent you the file doesn't understand public-key encryption either
because they would need YOUR public key in order to encrypt files to
you. The first step for them would have been to request a key from
you. On the other hand, they might have merely signed the file and
the public key would be used by you to "verify" the signature and it
might not be encrypted at all. See next.
2) The "mpi too large" message would indicate to me that the file is
most like corrupted by the file transfer process. Check to make sure
that if the file is binary that the transfer method does not perform
conversion on end-of-line characters.
Another thing you can try to examine the file is to use the "--list-
packets" command.
$ gpg --list-packets
This will tell you (usually) whether the file is valid OpenPGP data,
as well as the algorithm and key ID used to encrypt the file (if it
is encrypted and not just corrupted).
Regards,
Joe
On Feb 26, 2007, at 5:36 PM, Jon Drukman wrote:
> A company I'm getting a data feed from sent me a public key and an
> encrypted file. I want to decrypt it, but I don't know I'm doing. My
> naive approach is not working:
>
> $ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: mpi too large for this implementation (40856 bits)
>
> the public key is in the file "nf_key". i thought i imported it but i
> don't how to tell if i did it right, or if it's even the right key for
> the file.
>
> help!
> -jsd-
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070226/a992eca7/attachment.bin
From jbruni at mac.com Tue Feb 27 02:56:39 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Mon, 26 Feb 2007 18:56:39 -0700
Subject: Newbie Q: decryption
In-Reply-To:
References:
Message-ID: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com>
Oh yeah, third thing:
The "insecure memory" warning just means that the executable probably
needs to be setuid-root in order to allocate wired memory. You can
ignore this and still use the product. It just means that gpg tried
to allocate memory that cannot be swapped to disk and failed due to
permissions. Some OS's allow non-root users to allocate a limited
amount of wired memory (BSD, OS X) whereas HP-UX does not.
Joe
On Feb 26, 2007, at 5:36 PM, Jon Drukman wrote:
> A company I'm getting a data feed from sent me a public key and an
> encrypted file. I want to decrypt it, but I don't know I'm doing. My
> naive approach is not working:
>
> $ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/faq.html for more information
> gpg: mpi too large for this implementation (40856 bits)
>
> the public key is in the file "nf_key". i thought i imported it but i
> don't how to tell if i did it right, or if it's even the right key for
> the file.
>
> help!
> -jsd-
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070226/8d706bb4/attachment.bin
From m_d_berger_1900 at yahoo.com Tue Feb 27 03:48:18 2007
From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED)
Date: Mon, 26 Feb 2007 21:48:18 -0500
Subject: Why a subkey?
References:
Message-ID:
On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> On FC4 with gpg 1.4.1:
>
> Please upgrade. There have been a couple of security updates since
> 1.4.1.
>
[...]
Following your advice, I ran:
yum update gnupg
a few days ago, and now I have v1.4.5 . But I
see that you have v1.4.6 . I ran yum again,
and it got nothing new. So what's happening?
Thanks,
Mike.
From rjh at sixdemonbag.org Tue Feb 27 03:58:25 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 26 Feb 2007 20:58:25 -0600
Subject: Why a subkey?
In-Reply-To:
References:
Message-ID: <9F903BDD-568A-4F3B-A5FE-766E2AEF6594@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Following your advice, I ran:
> yum update gnupg
> a few days ago, and now I have v1.4.5 . But I
> see that you have v1.4.6 . I ran yum again,
> and it got nothing new. So what's happening?
I'm guessing that FC4 isn't getting updates very frequently anymore.
This doesn't surprise me, given that it's either been EOLed or is due
for EOLing.
The current version of Fedora is FC6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJF455SAAoJELcA9IL+r4EJqbMH/RSEMKAIg2Tzl2gO6n9wwPj1
yYKFm5wqq1icoas8WxEOnMrYA32ALSD8OLKAbAoixR4t3NDA8BNnoBGE4PPIDBy3
o5/MGlaAmjdfFzmIirjClOcftoWA19MyEkz4/LLJBVCTF+B3rmSltZ4240uDBx0t
x2cTSHyUlWVgSlfE62WryjDbAb55Qnu+EY1Bd9Shbjv1hDlgrIZZu56RBiBqPW26
TWbw0bgFNoC+t7nO78mgDHBcwkSBkG0jDrX2PmfXOhXRJIAvcbFo9M+cX6gnj9RS
DFxtzeslDDlgd6Qtng6nuXGEY/ujgkU/EMQ+YeeVpbxRi/y5hzN43HJc6gv90f8=
=J9Qi
-----END PGP SIGNATURE-----
From tobias.weisserth at gmail.com Tue Feb 27 03:25:29 2007
From: tobias.weisserth at gmail.com (Tobias Weisserth)
Date: Tue, 27 Feb 2007 03:25:29 +0100
Subject: Newbie Q: decryption
In-Reply-To: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com>
References:
<857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com>
Message-ID: <200702270325.29827.tobias.weisserth@gmail.com>
Hi there,
On Tuesday, 27. February 2007 02:56, Joseph Oreste Bruni wrote:
> Oh yeah, third thing:
>
> The "insecure memory" warning just means that the executable probably
> needs to be setuid-root in order to allocate wired memory. You can
> ignore this and still use the product. It just means that gpg tried
> to allocate memory that cannot be swapped to disk and failed due to
> permissions. Some OS's allow non-root users to allocate a limited
> amount of wired memory (BSD, OS X) whereas HP-UX does not.
Having GnuPG use swap partitions/files is a risky business. There's another
way around this mess without having to make the GnuPG binary setuid. If you
don't use Windows simply encrypt swap space. OpenBSD does this by default,
Mac OS X can be set up to do it and swap partition encryption in GNU/Linux is
trivial to setup too. Maybe there should be an option in GnuPG to disable
this warning when compiling it on a platform that does swap encryption
anyway.
Take a look here too:
https://www.weisserth.eu/index.php/2007/01/13/encrypting-your-swap-partition-with-opensuse-102/
Hope this helps,
Tobias
From bok at pinoymac.org Tue Feb 27 03:40:33 2007
From: bok at pinoymac.org (Bok NgSinco)
Date: Tue, 27 Feb 2007 10:40:33 +0800
Subject: Update 1.4.6 Mac OS configure error
In-Reply-To: <45E31F7D.9060400@py-soft.co.uk>
References: <9131273.post@talk.nabble.com> <45E31F7D.9060400@py-soft.co.uk>
Message-ID:
On 2/27/07, at 1:57 AM, Benjamin Donnachie wrote:
> boksbox wrote:
>> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I
>> followed the
>> compile instruction I encounter an error.
>
> Try my gnupg 1.4.6 binary install at
> http://www.py-soft.co.uk/~benjamin/download/mac-gpg/GnuPG1.4.6.dmg
>
> Ben
Thanks Ben!
Your binary install works good. And thanks to Joseph and Robert for
letting me know I have to have developer's kit to compile. But I may
have to put that off for a while now thanks to Ben.
-bok
From rjh at sixdemonbag.org Tue Feb 27 06:13:18 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 26 Feb 2007 23:13:18 -0600
Subject: Newbie Q: decryption
In-Reply-To: <200702270325.29827.tobias.weisserth@gmail.com>
References:
<857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com>
<200702270325.29827.tobias.weisserth@gmail.com>
Message-ID: <304117DF-959C-4D9A-94BD-63AE63A07C0B@sixdemonbag.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Having GnuPG use swap partitions/files is a risky business.
As a general principle, I'm unconvinced of the truth of this as a
general statement.
It's risky within certain security models. Let's not go about saying
it's universally risky. Let's also not recommend encrypting swap
space _a priori_ without also warning people of the (massive)
performance penalty that can result from encrypted swap. I recall
seeing some numbers from OpenBSD that indicated encrypted swap
resulted in a 33% slowdown for swap access compared to unencrypted
swap. This could be related to OpenBSD internals or it could be
indicative of a deeper problem with encrypted swap. Either way, the
potential downsides of encrypted swap should be considered before
anyone decides to undertake this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iQEcBAEBCAAGBQJF473vAAoJELcA9IL+r4EJrHgH/2azJYCxZXWYd53Ir6f7AwSe
X3XmXaX4w3lSD9JbaF7xPlTSlLZThuyfEC59hOKUWiPAd9QcJwkySOx0/rrwVZRp
sAArZgGaTbvInn7R7xKWSUrztXJtM/fNRuP3UOCg7hvNtdVe2E7Oe2Q60fl753Om
p6vk3H93dwyIG2tbJqnJUAXyBhx/Mm5ULct4F99zXHdtgWpvIaylkR0CNvAiLUfM
bm/8zk1uXY+4dAJONUB7uQITMynpbwCEGan9ej8JsQMt5Bv1rDZLW5fc7ra+MLG+
UMEDdFTa7KoRU1c3ljM+dwuzub9+CFoeevsDIUEJ5wn1no2ou/HFuWk4aW44Zto=
=kZwk
-----END PGP SIGNATURE-----
From mike.keighley at adare.com Tue Feb 27 16:21:36 2007
From: mike.keighley at adare.com (mike.keighley at adare.com)
Date: Tue, 27 Feb 2007 15:21:36 +0000
Subject: Why a subkey?
Message-ID:
"Robert J. Hansen" writes:
> I'm guessing that FC4 isn't getting updates very frequently anymore.
> This doesn't surprise me, given that it's either been EOLed or is due
> for EOLing.
FC4 was EOLed in Aug06.
It was expected that security updates would be taken up by Fedora Legacy,
but that project has since wound down. There didn't seem to be the same
level of demand or contributions as for RH7, RH9, FC1, FC2.
--
Mike
From mike.keighley at adare.com Tue Feb 27 20:13:26 2007
From: mike.keighley at adare.com (mike.keighley at adare.com)
Date: Tue, 27 Feb 2007 19:13:26 +0000
Subject: Newbie Q: decryption
Message-ID:
Joseph Oreste Bruni writes:
> Some OS's allow non-root users to allocate a limited
> amount of wired memory (BSD, OS X) whereas HP-UX does not.
HP-UX can ! It just doesn't, by default.
root can use setprivgrp(1M) to allow specified groups of
ordinary users the "mlock" priviledge.
--
Mike
From jbruni at mac.com Tue Feb 27 21:12:25 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Tue, 27 Feb 2007 13:12:25 -0700
Subject: Newbie Q: decryption
In-Reply-To:
References:
Message-ID: <13C5EE09-7F35-4250-B990-D216414FB0F1@mac.com>
On Feb 27, 2007, at 12:13 PM, mike.keighley at adare.com wrote:
> Joseph Oreste Bruni writes:
>
>> Some OS's allow non-root users to allocate a limited
>> amount of wired memory (BSD, OS X) whereas HP-UX does not.
>
> HP-UX can ! It just doesn't, by default.
> root can use setprivgrp(1M) to allow specified groups of
> ordinary users the "mlock" priviledge.
>
Well there it is; interesting. That might be something to include in
the FAQ regarding insecure memory. On my HP box, there doesn't seem
to be a man page for that command, just the syscall for it.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070227/890221d2/attachment.bin
From lists_de at zemisch.de Wed Feb 28 05:56:44 2007
From: lists_de at zemisch.de (Dirk Zemisch)
Date: Wed, 28 Feb 2007 11:56:44 +0700
Subject: Fwd: Zusammenspiel GnuPG - GPG-Relay - sTunnel
In-Reply-To: <1779200883.20070223103503@zemisch.de>
References: <1779200883.20070223103503@zemisch.de>
Message-ID: <1668330864.20070228115644@zemisch.de>
Morning,
I'm forwarding my mail from gnupg-de, cause get no answer there. Maybe
anyone *here* can help me out with some tips. German original you can
find at the end. Sorry for my bad english - if your german is better,
please read the german version. :-)
Last week I reinstalled GnuPG and GPGRelay, using GnuPG-Pack Basics
and the GPGRelay installer. Before doing so I uninstalled the old
installation (GnuPT and GPGRelay).
Now I have some mysterious errors, which I can not place to one or
another program directly.
At first, the DLLs for OpenSSL (from GnuPG-Pack, sTunnel) and GPGRelay
are not compatible (libeay32 and libssl32). GPGRelay do not accept the
DLLs from the OpenSSL package (dated october, 1st 2006), while the
DLLs from the GPGRelay Site (dated july, 10th 2004) are not working
with stunnel (compression:Zlib parameter in the .conf). As I'm not
using sTunnel so far, I'm using now the old DLLs, but for me it is not
the best solution.
On the other hand GPGRelay do not find the right recipient of mails,
and tests all keys from the keyring. Why? The mail has only on
receiver (To:), and this one is only in one key present.
Windows XP (NT 5.1 Build 2600 - Service Pack 2 - all updates)
CPU: Intel Pentium M (586 - @1728 GHz)
with RAM: 504MB (virtual: 1921MB; used 62%)
IP: 192.168.0.11
If additional information is needed - please ask for it.
Thanks in advance.
Dirk
-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Date: Freitag, 23. Februar 2007 10:35:03
To: GnuPG (DE)
Subject: Zusammenspiel GnuPG - GPG-Relay - sTunnel
-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hallo Listlinge,
ich h?tte da gern mal ein Problem:
Ich habe gestern meine alte Installation von GnuPT (GnuPG 1.4.3,
GPG-Relay 0.959, GPGee und WinPT) durch die neue GnuPG-Pack Basics
(GnuPG 1.4.6 eben und sTunnel) und GPG-Relay (wieder 0.959) ersetzt.
Dazu habe ich die alte Installation zuerst (IMHO komplett, inkl.
Neustart) entfernt und dann die neuen Pakete entsprechend der
Anweisung auf der GnuPG-Pack WebSite neu eingespielt.
Nun habe ich folgende Probleme, kann sie aber leider nicht genau einem
Programm zuordnen und frage deshalb erstmal hier im Allgemeinen. Aber
konkrete Hinweise werden auch gern genommen. ;-)
Ich hole einen Gro?teil der ?ber GPG-Relay laufenden Mailkonten per
SSL (bzw. TLS) ab. Klappte vorher ganz wunderbar, seit der
Neuinstallation meckert GPG-Relay das Fehlen der beiden SSL-DLLs
(libeay32 und libssl32) an. Allerdings sind diese da (im GPG-Relay
Verzeichnis), aber offensichtlich stammen diese aus dem OpenSSL Paket
und werden von GPG-Relay nicht erkannt.
Es funktioniert aber sofort , sobald ich die beiden Dateien mit den
gleichnamigen aus dem SSL Paket von der GPG-Relay Projektseite
ersetze. Dann allerdings funktioniert 'Compression: zlib' f?r sTunnel
nicht. (OpenSSL-DLLs mit Datum 1.10.2006, GPG-Relay DLLs vom
10.07.2004)
Im Moment habe ich erst einmal die Kompression in der stunnel.conf
ausgeknipst und nutze die alten Dateien, aber als endg?ltige L?sung
finde ich das nicht sch?n.
Frage: Ist dieses Problem bekannt? Gibt es vielleicht sogar eine
L?sung?
Das zweite Problem scheint seine Ursache auch irgendwie im
Zusammenspiel des neuen Paketes mit GPG-Relay zu haben. Und zwar
bekomme ich (silent Mode in GPG-Relay) folgende Header (@dressen
redigiert):
> X-GPGrelay-GoodSig: 9D9A3B133BC72B51 Dirk Zemisch
> X-GPGrelay-SigID: bSmhCqei3PQ0GqKuOqxpmw6ckoQ 2007-02-23 1172198022
> X-GPGrelay-EncTo: 0000000000000000 16 0
> X-GPGrelay-Status: This mail was encrypted (PGP-MIME).
> ,-----GnuPG output follows (current time: Fri, Feb 23 2007 - 09:42:50)--
> |
> | anonymous recipient; trying secret key DF5D2ACB ...
> | anonymous recipient; trying secret key F1F5C6D4 ...
> | anonymous recipient; trying secret key 4D6196B5 ...
> | anonymous recipient; trying secret key E2E6A997 ...
> | anonymous recipient; trying secret key 37732829 ...
> | anonymous recipient; trying secret key 9D273BF0 ...
> | anonymous recipient; trying secret key 51211DD6 ...
> | anonymous recipient; trying secret key 212B1BDF ...
> | anonymous recipient; trying secret key BF53A544 ...
> | anonymous recipient; trying secret key C1C51B93 ...
> | anonymous recipient; trying secret key A4555DC0 ...
> | anonymous recipient; trying secret key FAC31E23 ...
> | anonymous recipient; trying secret key 9D91C0BE ...
> | anonymous recipient; trying secret key 577445AF ...
> | anonymous recipient; trying secret key AFB66E83 ...
> | anonymous recipient; trying secret key 2F3559D7 ...
> | Alles klar, wir sind der ungenannte Empf?nger.
> | Signature made 02/23/07 09:33:42 using DSA key ID 3BC72B51
> | Good signature from "Dirk Zemisch "
> | aka "Dirk Zemisch "
> | aka "Dirk Zemisch "
> | aka "Dirk Zemisch "
> | aka "Dirk Zemisch "
> | aka "[jpeg image of size 4106]"
> |
> `-----------------------------------------------------------------------
Zu jedem 'trying ...' kommt nat?rlich der entsprechende Dialog zur
Passphrase Abfrage hoch. Ist ja sch?n, dass letztendlich einer der Keys
gegriffen hat, aber wer behauptet denn da 'anonymous recipient'? Im
'To:' steht nur eine Adresse und zwar genau die zum 2F3559D7 geh?rende,
die in keinem der anderen (gr??tenteils tempor?ren Tests dienenden)
Schl?sseln auftaucht.
Ja, ich kann nat?rlich jedes Mal alle anderen Schl?sselabfragen skippen
oder die entsprechenden tempor?ren Schl?ssel killen, aber l?stig ist
das schon und die Eingabe und Speicherung aller Passphrasen im Relay
kann auch kaum als L?sung gelten.
Au?erdem: warum ging das gestern noch in der alten Konfiguration und
nun nicht mehr? GPG-Relay w?rde ich fast ausschlie?en, weil dieselbe
Version.
Ich habe mich schon durch die verschiedensten .conf und die Registry
gew?hlt, aber leider ohne Erfolg.
Windows XP (NT 5.1 Build 2600 - Service Pack 2 - alle aktuellen Updates)
CPU: Intel Pentium M (586 - @1728 GHz)
with RAM: 504MB (virtual: 1921MB; used 62%)
IP: 192.168.0.11
--
Gru?
Dirk
Unterwegs mit The Bat! 3.95.8
unter Zuhilfenahme von Windows XP Service Pack 2
_______________________________________________
Gnupg-de mailing list
Gnupg-de at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-de
-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
Adios,
Dirk
An excerpt from Emo Philips:
"My girlfriend said to me in bed last night, 'You're a pervert' - I
said, 'That's a big word for a girl of nine.'"